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Errata 


The  following  typographical  errors  had  unfortunately  been  overlooked  in  the  docu¬ 
ment  entitled  MATHESIS:  the  Mathematical  Foundation  for  ULYSSES. 

On  page  40,  the  reference  after  Definition  2.11  should  be  to  Definition  1.7. 

On  page  104,  the  last  rule  of  the  first  proof  diagram  should  be  (Ve)  rather  than 
(Vae).  The  next  to  last  line  of  the  second  diagram  should  be 

[S/x)M  :  [S/t\B 

and  the  third  line  following  that  diagram  should  read: 

Here,  the  formula  Ax  :  M  .  M  :  (Vx  :  C)B  is  the  cut  formula  in  the 
reduction  step. 

Finally,  on  page  113  in  the  second  line  of  the  Convention,  replace  V\  by  U.. 


1 

1 

\ 

i 


t 

i 


i 


INTRODUCTION 


This  work  is  an  introduction  to  MATHES1S,  the  underlying  mathematical  foundation 
for  ULYSSES.  In  ULYSSES  one  proves  that  models,  designs  and  formal  specifications  of 
information  processing  systems  have  security  properties.  For  this  to  be  meaningful  it  is 
essential  that  the  underlying  automated  mathematical  foundation  itself  be  sound.  It  is 
a  known  fact  that  various  design  and  program  verification  environments  in  widespread 
use  within  the  computer  security  community  have  faulty  logics  and  implementations; 
a  knowledgeable  user  of  these  environments  can  exploit  these  flaws  to  prove  false  facts 
about  system.  A  less  malicious  user  could  inadvertently  exploit  these  flaws  and  also  prove 
false  facts  about  systems.  Machine  certification  of  proofs  is  thus  called  into  question 
when  the  certification  mechanisms  themselves  are  not  appropriately  certified. 

There  are  two  basic  explana  oils  of  these  flaws.  First,  the  informal  theory  which 
stands  logically  prior  to  the  theorem  prover  has  not  been  adequately  worked  out.  The 
purpose  of  this  document  is  to  work  such  a  theory  for  the  ULYSSES  mathematical 
component.  In  particular,  we  prove  the  formal  consistency  to  this  theory. 

A  second  source  of  error  occurs  during  implementation.  Many  automated  mathemat¬ 
ical  components  and  theorem  provers  evolve  incrementally;  new  features  are  continually 
added  to  make  the  theorem  prover  ever  more  powerful.  Also  specific  algorithms  are 
replaced  by  more  efficient  ones.  This  maintenance,  like  most  software  maintenance,  is 
usually  done  in  an  ad  hoc  manner.  Logical  flaws  have  a  way  of  slipping  in  during  such 
improvements.  Our  approach  to  this  problem  is  to  provide  a  mathematical  foundation 
which  in  principal  is  much  stronger  than  presently  needed.  The  underlying  logic,  is  a  true 
mathematical  foundation  in  that  the  usual  mathematical  entities,  viz.  sets,  sequences, 
functions,  relations,  etc.,  are  all  definable  in  terms  of  our  ground  entities.  Future  exten¬ 
sions  of  the  theorem  prover  consist  in  adding  definitions  to  the  basic  logic.  The  standard 
basic  theorems  about  the  new  entities  (what  are  usually  called  axioms)  are  then  provable 
in  the  basic  logic. 

We  thus  have  two  requirements  for  a  mathematical  foundation  for  verification:  the 
informal  theory  needs  to  be  worked  out  prior  to  implementation;  the  foundational  the¬ 
ory  should  be  strong  enough  to  support  definitional  extensions  which  will  encompass 
a  significant  amount  of  mathematics.  Several  approaches  to  foundations  satisfy  these 
requirements  Our  specific  choice  was  determined  by  several  further  requirements.  First, 
in  order  to  add  confidence  to  the  correctness  of  the  implementation  it  would  be  desirable 
that  the  underlying  foundations  have  as  lew  moving  parts  as  possible;  i.e.  the  number 
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of  basic  entities,  constructors,  axioms,  etc.  be  small.  Second,  it  would  be  desirable  for 
the  foundation  to  have  computational  content.  That  is,  within  the  logic  mechanically 
decidable  statements  should  be  distinguishable  from  undecidable  ones  and  when  state¬ 
ments  are  decidable  the  decision  procedures  encoded  in  their  proofs  should  be  available 
as  computer  programs.  Logicians  with  a  strictly  mathematical  background  have  not  re¬ 
quired  this  distinction;  in  computer  science  it  separates  the  possible  from  the  impossible. 
The  natural  logic  for  such  computable  entities  is  called  constructive  logic.  There  are 
cases  where  classical  logic  differs  from  constructive  logic;  namely  some  classically  valid 
proofs  cannot  be  made  in  constructive  logic.  On  the  other  hand,  there  is  an  important 
sense  in  which  constructive  logic  is  stronger  than  classical  logic  since  the  latter  can  be 
interpreted  in  the  former. 

Since  constructive  logic  is  not  well-known  outside  of  certain  subfields  of  mathematics 
and  computer  science,  a  few  words  about  it  may  be  in  order.  If  one  proves  in  constructive 
logic  that  something  exists,  then  one  must  either  give  an  explicit  construction  of  that 
thing  or  else  give  a  set  of  directions  for  constructing  it.  It  follows  from  this  that  although 
in  classical  logic  one  is  concerned  only  with  truth  and  not  how  that  truth  is  established, 
in  constructive  logic  one  is  concerned  with  provability  and  one  takes  nothing  to  be  true 
unless  one  actually  has  or  can  obtain  access  to  a  proof  of  it.  This  requires  the  denial 
of  the  law  of  excluded  middle:  A  or  not  A.  For  if  A  is  a  statement  that,  something 
exists,  then  A  or  not  A  means  that  either  there  is  a  set  of  directions  for  constructing 
that  thing,  or  else  there  is  a  proof  that,  there  can  be  no  such  set  of  directions;  this  is 
clearly  not  true.  This  makes  constructive  logic  seem  a  bit  strange  to  those  who  are  not 
used  to  it.  Since  constructive  logic  was  first  used  in  mathematics  as  one  reaction  to 
the  paradoxes  of  set  theory  and  logic  which  were  discovered  at  the  turn  of  the  century, 
most  examples  of  the  difference  between  constructive  and  classical  logic  have  generally 
been  mathematical  examples.  Such  examples  can  be  found,  among  other  places,  at  the 
beginning  of  [Hec8f»J,  which  also  has  ot  her  references. 

It  might  be  worthwhile  here  to  look  at  a  uonniathcmatica!  example.  The  law  of 
excluded  middle  might,  well  lead  a  legislator  to  propose  a  criminal  law  in  which  there  is 
one  penalty  for  a  crime  if  A  is  true  of  the  particular  case  and  a  different  penalty  if  A  is 
false.  In  classical  logic,  one  is  justified  in  concluding  that,  if  the  crime  covered  by  the  law 
is  committed  and  there  is  a  conviction,  then  on*'  of  the  two  penalties  would  be  applied. 
But  in  practice  this  does  not  follow.  For  suppose  it  turns  out  to  bo  extremely  difficult 
for  the  court  system  to  decide  whether  or  not  A  is  true  in  a  particular  rase.  Then  the 
case  may  be  appealed  all  the.  way  to  the  Supreme  Court,  a  process  which  can  take  years 
(even  more  than  a  decade).  During  this  time,  neither  penalty  will  be  applied.  And  the 
courts  may  wind  up  deciding  that  A  is  so  difficult  to  decide  that  the  courts  cannot  do 
so  constitutionally  (as  they  might,  for  example,  if  they  conclude  as  a  mat  ter  of  fart  that 
trying  to  decide  A  is  so  difficult  that  it.  is  impossible  to  do  so  in  a  way  that  does  not 
treat  people  arbitrarily);  in  this  case,  the  original  law  would  be  unconstitutional,  and 
so  no  penalty  would  be  applied  (even  if  it  were  not.  in  dispute  that,  the  defendant  had 
committed  the  crime).  Here  is  a  noumathematiral  case  in  which  the  law  of  excluded 
middle  can  be  doubled. 

Note  the  relationship  between  the  use  of  const  ructive  logic  and  the  need  to  consider 


how  a  decision  ran  be  made.  Constructive  logic  is  often  thought  of  as  the  logic  of  what 
can  actually  be  done  by  computations  if  there  are  no  limitations  of  time  and  space,  and 
this  makes  it  particularly  appropriate  for  reasoning  about  computing  in  a  general  setting. 
In  fact,  this  connection  is  the  basis  of  Constable’s  Nuprl  proof  development  system,  in 
which  executable  programs  are  generated  by  proving  mathematical  thcorems[0*86]. 

Because  we  are  interested  in  a  proof  system,  we  are  especially  interested  in  referring 
to  proofs.  A  good  system  of  constructive  logic  in  which  proofs  are  mentioned  explicitly 
is  the  theory  of  constructions  of  Coquand  [Coq85]' .  This  is  a  system  of  type  assignment 
to  A-terms;  the  proofs  are  (roughly)  represented  by  the  terms  and  the  formulas  by  the 
proofs.  Although  the  rules  of  the  system  are  easy  to  state,  the  system  is,  in  fact,  the 
result  of  a  considerable  evolution  through  a  number  of  other  systems  of  typed  A-calculus, 
and  is  best  understood  in  the  light  of  those  systems. 

For  this  reason  we  shall  not  take  up  the  theory  of  constructions  itself  until  Chapter 
4.  In  Chapter  1  we  shall  take  a  look  at  typed  A-calculus.  In  Chapter  2  we  shall  consider 
deductive  systems  which  assign  types  to  A-terms  without  types.  We  shall  consider  the 
basic  system  and  and  several  of  its  generalizations.  These  generalizations  include  the 
second-order  polymorphic  typed  A-calculus2 ,  Martin-Lof’s  theory  of  types3,  and  gener¬ 
alized  type  assignment  in  the  style  of  [HS8(i]  Chapter  16.  The  theory  of  constructions 
is  a  form  of  generalized  type  assignment,  and  so  readers  will  be  in  a  position  at  the  end 
of  Chapter  2  to  proceed  directly  to  the  theory  itself  in  Chapter  4. 

However,  to  fully  appreciate  the  theory  of  constructions,  it  is  desirable  to  consider 
both  constructive  logic  and  the  idea  of  interpreting  terms  as  proofs  and  types  as  for¬ 
mulas.  This  idea,  which  is  often  called  the  Curry- Howard  isomorphism,  was  introduced 
by  a  number  of  people  independently,  including  [How80],  who  based  the  idea  on  an 
observation  of  Curry  [CF58],  §9H  We  take  up  this  subject  in  Chapter  3.  We  begin  in 
Sect  ions  3.1  -3.2  with  a  simple  calculus  of  constructive  logic  for  implication  formulas,  and 
show  its  relation  to  the  simple  system  of  type  assignment.  We  then  proceed  in  Sections 
3. 3-3. 4  to  extend  the  system  to  the  other  propositional  connectives,  and  show  that  the 
law  of  excluded  middle  fails  in  this  calculus  of  constructive  logic.  This  is  enough  of 
(lie  chapter  for  a  basic  understanding  of  both  constructive  logic  and  the  Curry-IIoward 
isomorphism,  and  many  readers  may  want  to  proceed  directly  from  the  end  of  section 
3.4  to  Chapter  4.  However,  some  readers  may  want  to  see  a  treatment  of  predicate  logic, 
and  in  Sections  3.4  and  3.5,  we  present  versions  of  (constructive)  first-order  predicate 
logic  and  higher-order  predicate  logic  which  illustrate  the  Curry-IIoward  isomorphism 
and  look  toward  one  of  Coquand’s  motivations  for  creating  the  theory  of  constructions. 

In  Chapter  4,  we  come  to  the  theory  of  constructions  itself.  We  give  its  rules  in  a 
natural  deduction  formulation,  which  is  a  bit  different  from  the  form  in  which  Coquand 
gave  them  but  is  more  closely  associated  with  the  systems  of  type  assignment  mentioned 
in  Chapter  2.  We  then  proceed  to  prove  the  main  consistency  theorem  for  the  system, 
the  strong  normalization  theorem.  We  next  show  the  relationship  between  the  natural 

1  Sr*;  also  [CII8-I],  [disci],  [CM],  [( 'o.)8l >a],  [CoqSlib],  ami  [Cnq], 

^  This  system  was  introduced  independently  hy  (iirard  [C » ii'7 1 )  and  Reynolds  [Rey74]  and  studied 
extensively  hy  a  number  of  people,  including  [l*T,OKa]. 

’'See  (Mar7S],  [MarXij,  [MarHt],  Chapter  XI  of  [ReeSS]  and  [0*86], 
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deduction  formulation  given  here  ami  the  original  formulation  of  ('o<|uand. 

Finally,  in  Chapter  5,  wo  lake  up  the  representation  of  logic  and  mathematics  in 
the  theory  of  constructions.  This  is  clearly  necessary  if  this  theory  is  to  serve  as  the 
mathematical  basis  for  MAT11ESIS  and  the  rest  of  the  ULYSSES  project.  This  work 
is  all  based  on  the  work  of  Coquand  ami  lluet4,  but  in  addition  to  the  definitions  and 
examples  of  the  papers  of  Coquand  and  Huet,  we  feel  a  need  to  use  tin'  strong  normal¬ 
ization  theorem  to  give  some  proofs  that  the  representations  of  logical  and  mathematical 
concepts  really  behave  correctly. 


4S«c  [CltSTi]  anil  [OII|  in  particular. 


Chapter  1 


TYPED 

LAMBDA-CALCULUS 


I  lie  A-calculus  is  a  fundamental  prototype  for  functional  programming  languages,  and 
the  typed  A-calculus  is  the  natural  typed  version.  Here  we  shall  consider  as  much  of  the 
typed  A-calculus  as  we  will  need  for  the  rest  of  the  work.  A  general  introduction  to  both 
the  A-calculus  and  the  typed  A-calculus  can  he  found  in  Ilindley  At  Seldin  [IISS6], 

Most  of  the  systems  we  will  consider  will  not  have  models  in  the  usual  set-theoretic 
sense  of  that  term.  However,  ordinary  typed  A-calculus  does  have  such  models,  and  so 
we  shall  begin  with  them. 
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1.1  Type  symbols  and  type  structures. 


'Types  arc  used  for  various  kinds  of  data  structures  in  different  programming  languages. 
Here,  we  will  be  concerned  with  certain  particular  compound  ty|>o  structures  which  are 
fairly  common.  They  are:  1)  the  function  space  type  <t  — »  ft  of  functions  with  arguments 
in  «  and  values  in  ji,  2)  the  cartesian  product  i\  x  /i  of  two  ty|>es  a  and  fl,  and  .’I)  the 
disjoint  sum  a  +  0  of  two  types  it  and  //. 

For  some  purposes,  the  only  kind  of  compound  type  we  will  be  interested  in  will  be  the 
function  space  type.  In  other  cases  we  will  be  interested  in  all  three  kinds  of  compound 
types.  This  leads  to  the  two  kinds  of  type  symbols  in  the  following  definition: 


Definition  1.1  (Typo  symbol)  Assume  that,  we  have  (finitely  or  countably  many) 
atomic  type  symbols  0\ , . . . ,  0„, _ Then  basic,  type  symbols  are  defined  as  follows: 

(a)  Every  atomic  type  symbol  is  a  type  symbol;  and 

(b)  If  a  and  /?  arc  type  symbols,  then  so  is  (it  — *  f3). 

Extended  type  symbols  are  defined  by  (a)  and: 

(c)  If  a  and  are  type  symbols,  then  so  are  (or  — *  ft),  (it  x  ft)  and  (ft  +  rf). 


Remark  It  might  appear  that  the  basic  type  symbols  limit  us  to  functions  of  one 
variable.  This  appearance  is  falsi',  for  functions  of  several  variables  can  by  reduced  to 
functions  of  one  variable  by  a  process  known  as  currying  (after  II.  B.  (airry,  who  used  it 
extensively;  actually  the  process  was  used  by  others  before  (’urry).  To  see  how  currying 
works,  consider  the  example 

=  r.  -  r/. 

bet  h’  be  the  one-place  function  whose  value  /»*('»)  at  an  argument  n  is  defined  to  be 
the  function 

/(.V)  =  <i  -  ?/  =  /'(".. '/)• 


Then  we  have 


/,»(;/)  h(f,u). 


and  we  have  replaced  our  original  two-place  function  by  a  new  function  of  one  variable 
Our  notation  will  reflect  the  process  of  currying,  since 


ft  I  —  ft-J  —  •  •  •  flu  -  I  — 


will  be  an  abbreveation  for 


"I  —  (<*•_.  — ■  (.  .  .(ft,,  -i  -  «„)  )). 


Additional  notation.  In  extended  type  symbols,  unnecessary  parent  lieses  will  be  omitted. 
The  infixes  x  and  +  will  have  a  smaller  scope  than  — . 

As  a  semantics  for  these  type  symbols,  we  associate  with  each  type  symbol  o  a  set 
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Definition  1.2  (Type  structures)  Assume  that  for  each  atomic  type  0  there  is  a  set 
De  Then  we  define  D„  for  each  compound  type  symbol  n  as  follows: 

(a)  is  the  set  of  all  functions  with  arguments  in  Da  and  values  in  Dp\ 

(b)  Daxp  *s  the  cartesian  product  D,tx  Dp  of  I)a  and  Dp;  and 

(c)  Dn+p  is  the  disjoint  sum  Da  +  Dp  of  Dn  and  Dp. 

A  baste  type  structure  is  then  defined  to  be  the  set 

{Da|o  is  a  basic  type  symbol). 

An  extended  type  structure  is  defined  to  bo  the  set 

{Da\a  is  an  extended  type  symbol). 

It  is  usual  in  set  theory  to  take  for  the  cartesian  product  Ax  B  the  set  of  all  ordered 
pairs  (a,  6)  where  a  £  A  and  b  6  B.  This  is  not  strictly  necessary  here:  all  we  really 
need  is  an  operator  dAjj  \  A —*  B  —*  A  x  B  anti  two  operators  fstA ,n  ■  A  x  B  —*  A  and 
undp.i)  :  A  x  B  — *  B  such  that  fslA  n(dA.n(>‘,b))  =  a  and  sndAji{dAin(a,  6))  =  b.  It 
is  not  strictly  necessary  that  da ji(a,b)  be  the  pair  (a,b),  but  we  will  usually  think  of 
it  that  way,  and  so  we  will  call  it  a  pairing  operator.  The  operators  fstA  H  and  sndA  u 
will  be  called  projection  functions.  If  A  and  B  are  sets  Dn  and  Dp  respectively,  then 
instead  of  da.a,  etc.,  we  shall  write  da<p,  etc. 

The  disjoint  sum  A  +  B  is  formed  from  A  and  B  by  making  a  copy  inlA ,a(a)  of  each 
element  «6/l  and  a  copy  inrA  n(b)  of  each  b  <E  B  in  such  a  way  that  each  inlA  jj(a)  is 
distinct  from  each  inrA  n(b),  and  then  letting  A  -f  B  be  the  union  of  all  the  copies.  In 
other  words, 

A+B  =  {intAn(a)\a  e  A }  U  {inrAJI(b)\b  E  B}. 

(liven  any  element  of  this  disjoint  union,  it  is  possible  to  tell  which  of  the  sets  it  originally 
came  from.  It.  follows  that  there  is,  for  any  set  C,  a  function 

caseA _»,<•  :  A  +  /#—*(  A  —<")  —  {  /t  —•  (')  —  C, 

such  that,  if  /  :  A  — *  g  :  B  — ►  C’,a  C  A,  and  b  £  B,  then 

e<iseA  „ A  (inlA .»(«),/,  ?/)  f(n) 

and 

citscAi,<(inrAi,(b).f,<i)  =  <l(b). 

As  before,  we  shall  use  the  notation  <  <ise„  p  y  etc. 

Often  there  is  an  interest  in  a  type  which  is  empty.  This  type  will  be  called  void, 
and  will,  for  now,  be  taken  as  an  atomic  type.  /)„„■„ j  will  be  the  empty  set. 

In  some  cases,  we  will  want  the  type  N  of  the  nat  ural  numbers.  This  will  also  lx-  an 
atomic  type,  and  Du  will  simply  be  the  set  ofuatural  numbers.  The  successor  function 
w  ill  be  denoted  by  er . 

Note  |  hat  a  I  ype  si  r net  lire  does  not.  include  any  set  of  pairs  in  which  there  are  pairs 
m  which  tie-  lirsl  elements  are  in  the  same  type  bill  the  second  elements  are  ill  different 
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types.  Thus,  there  is  no  nontrivial  way  in  a  type  structure  to  make  the  type  of  the 
second  element  depend  on  the  first  element  rather  than  on  the  type  of  the  first  element. 
In  particular,  in  a  set  of  pairs  whose  first  elements  arc  natural  numbers,  all  of  the  second 
elements  must  be  of  the  same  type.  (Of  course,  sets  with  pairs  whose  first  elements  have 
the  same  type  but  whose  second  elements  have  different  types  can  be  formed  by  taking 
arbitrary  unions,  but  they  are  not  part  of  a  type  structure  as  defined  by  Definition  1.2  ) 


rococo' 


1.2  The  typed  A-calculus. 

So  far,  we  have  talked  about  structures  consisting  of  sets  and  some  functions  associated 
with  them.  Except  for  these  functions  and  the  natural  numbers,  we  have  not  talked 
about  any  of  the  elements  of  the  sets.  Here,  we  introduce  a  formalism  of  terms  which 
will  represent  these  objects.  The  formalism  we  will  use  is  the  typed  A-calculus. 

The  basic  idea  behind  the  A-calculus  is  the  A-notation  of  Alonzo  Church.  The  idea 
is  really  simple:  we  are  used  to  saying  that  if  /  represents  the  squaring  function,  so  that 
f(x)  —  x 2  then  /( 2)  =  22  =  4.  We  also  sometimes  say  that  this  function  /  is  given  by 
x  v—  x2 .  We  might  well  ask  why  we  do  not  write 

(x  i-  x2)(2)  =  2-  =  4. 

The  reason  is  that  in  the  1930s,  Alonzo  Church  proposed  writing 

(Ax.x2)(2)  =  22  =  A.  (1.1) 

This  is  the  basis  of  the  A-calculus. 

In  the  A-calculus,  we  use  complete  currying.  In  this  notation,  the  term  representing 
the  function  h *  of  §1  is 

Xx.Xy.h(x,y). 

Since  we  are  interested  in  terms  representing  objects  in  the  sets  of  type  structures,  we 
are  really  interested  in  the  typed  A-  calculus.  There  are  a  number  of  forms  of  this  system, 
depending  on  which  types  we  are  using.  Let  us  begin  with  the  basic  type  symbols. 

Definition  1.3  (Basic  typed  A-terms)  Assume  that  we  have  infinitely  many  individ¬ 
ual  term  variables,  where  each  variable  is  assigned  a  type  symbol  in  such  a  way  tl^it 
there  are  an  infinite  number  of  variables  assigned  to  each  type,  and  suppose  that  x° 
indicates  a  variable  of  type  (symbol)  nr.  Then  basic  typed  X -terms  are  defined  as  follows: 

(a)  each  typed  variable  x°  is  a  typed  term  of  type  a; 

(b)  if  Ma~0  and  Na  are  typed  terms  of  types  o  — >  fl  and  rv  respectively,  then 
(Ma~0 Nu)l>  is  a  typed  term  of  type  fi\  and 

(c)  if  xu  is  a  variable  of  type  a  and  A/'Ts  a  term  of  type  f),  then  (Ax".A/^)u— 0  is  a  term 
of  t  ype  a  — *  /i. 

A  term  of  the  form  given  by  (b)  is  called  an  application  term.  A  term  of  the  form  given 
by  (c)  is  called  an  abstraction  term. 

Notation  Parentheses  will  be  omitted  when  no  confusion  results.  For  compound  appli¬ 
cation  terms,  parentheses  will  be  omitted  by  association  to  the  left,  so  that 


Superscripts  indicating  types  will  sometimes  l>e  omitted  when  the  type  is  clear  from  tin- 
context. 

The  notation 

M  =  N 

will  mean  that  “M"  and  “ N ”  are  names  for  the  same  term.  This  notation  will  be 
especially  used  in  definitions,  such  as  Definition  l.-r>  below. 

Examples 

(a)  (Ax"./")0  ~ * ‘  °  represents  the  identity  function  of  type  a. 

(b)  If  F^-"7  and  Ga~ are  terms  of  types  0  —*  7  and  a  — *  0  respectively,  then 
AiaT^-‘’y(Ga'*^i“)  represents  the  composition  of  the  functions  represented  by  F*3"*7 
and  Ga~"P. 

(c)  Ax*3-’7 .Ay"-**3 .Aza .x*3~'7(y"-‘#3 z°),  which  is  a  term  of  type  (0  — -  7)  — ►  (a  — ►  0) 
— » 0  — *  1,  represents  the  operation  of  composition  of  functions  of  types  a  — *  0  and 

0-*7- 

(d)  If  Ma is  a  term  of  type  a  and  x^is  a  variable  of  type  0  which  does  not  occur  free 
in  A/a(in  the  sense  of  Definition  1.4  below),  then  (A .Ma)P~'a  represents  a  constant 
function  whose  value  for  each  argument  is  the  object  represented  by  M“. 

(e)  Ax“.Ay^.z",  which  is  a  term  of  type  a  —*  ft  —*  7  represents  the  operator  which  forms 
constant  functions  with  arguments  in  0  and  value  in  a. 

Definition  1.4  (Free  and  bound  variables)  An  occurrence  of  a  variable  x°  in  a 
term  M  is  bound  if  it  is  in  a  part  of  M  of  the  form  A xn.N0;  otherwise  it  is  free.  If 
x“  has  at  least  one  free  occurrence  in  M ,  it  is  called  a  free  vanablc  of  M.  The  set  of  all 
free  variables  of  M  is  called  FV(A/).  A  closed  term  is  a  term  without  any  free  variables. 

If  one  of  the  atomic  types  is  void,  then  by  Definition  1 .3  there  will  be  variables  of  this 
type.  However,  it  is  the  intention  that  there  be  no  closed  term  of  type  void.  A  proof  that 
there  is  no  closed  term  of  type  void  is  a  kind  of  consistency  result  for  typed  A-calculus. 

Definition  1.5  (Substitution)  For  a  term  A/'*,  a  variable  xn ,  and  another  term  N° 
of  the  same  type  as  the  variable,  the  result  of  substituting  N°  for  x°  in  A/*3,  denoted 

[Nn  /r,']Ml< , 

is  the  result  of  substituting  /V'1  for  each  free  occurrence  of  x"  in  M &  and  changing  bound 
variables  to  avoid  clashes.  The  precise  definition,  by  induction  on  the  structure  of  A/*3, 
is  as  follows,  where  some  type  superscripts  are  omitted: 

(a)  [fV“/x,*]x0'  =  N"; 

(b)  [Na/xa]yl>  =  y!>  for  all  variables  y/3  distinct  from  x"; 

(c)  [yV“/x«](F7-'3Q7)  =  ([fV'7x,,]F7-'3)((/V«/x“]Q7); 

(d)  [,/Va/x,,l(Ax"./>7)  =  Axn.F7; 

(e)  (Af"/xa](A y7./'*)  =  Ai;7.fAfn/x"]F* 

if  v7  t  *"  and  »/7g  FV(/Vrt)  or  r"<f  FV(/,A);  and 
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(f)  [Na  /xa](\y'y  .P6)  =  A zy.[Na/xa}[:y/yy]n'1 

if  y7  xa ,  y7  G  FV(Af°),  xa  6  FV(/,i),  and  c"  is  the  first  variable  with  the  same  type 
as  y7  in  a  standard  enumeration  of  variables  which  is  not  in  FV(Na)  or  FV(/3<). 

If  the  type  of  N  dilTers  from  the  type  of  x ,  then  [N/x]M  is  not  defined. 

We  are  now  in  a  position  to  introduce  a  relation  which  corresponds  to  the  process 
of  calculating  values,  as  in  (1.1)  above.  This  relation  is  called  reduction.  The  main 
idea  behind  reduction  is  the  instruction  we  always  give  beginners  for  evaluating  f(x). 
For  example,  if  f(x)  =  x~,  the  instruction  for  evaluating  /( 2)  is  to  replace  x  by  2, 
thus  getting  22  =  4.  This  idea  gives  us  the  essential  relation  between  a  redez  and  its 
contractum  in  the  next  definition. 

Definition  1.6  (Reduction)  A  (one-step)  change  of  bound  variable  consists  of  the 
replacement  of  a  subterm  of  a  term  l,y  of  the  form 

\x°At0 


Ay^[y'7*,,)A'/^ 

where  y°£  A  redez  is  a  term  of  the  form  (Xxa . M^)Na;  its  contractum  is 

[Na /x°]Mp .  A  contraction  is  the  replacement  of  a  redex  by  its  contractum  in  a  term 
(where  the  redex  before  the  contraction  and  the  contractum  after  the  contraction  are 
subterms  of  the  term  being  contracted).  A  reduction  is  a  (possibly  empty)  sequence  of 
contractions  and  changes  of  bound  variable. 


If  M  reduces  to  N ,  we  write 


M  >  N. 


Definition  1.7  (Conversion)  An  expansion  is  the  reverse  of  a  contraction;  i.e. ,  M 
expands  to  N  if  and  only  if  N  contracts  to  M.  A  term  M  is  said  to  convert  to  N  if 
N  can  be  obtained  from  M  by  a  (possibly  empty)  sequence  of  contractions,  expansions, 
and  changes  of  bound  variable. 


If  M  converts  to  N ,  we  write 


M  =.  A'. 


Let  us  now  turn  our  attention  to  the  other  type-forming  operators,  x  and  +.  For 
terms  of  type  o  x  ft,  we  need  a  pairing  operator  D„,/*  of  type  n  — *  0  — *  a  X  P-  We  will 
also  want  terms  representing  the  projection  functions:  we  want  fsta,0  and  snd„,/j  of  types 
n  x  ft  —  a  and  o  x  ft  — >  ft  respectively  such  that 

fst„.„(D„,„Ar/V'?)  >  M"  and  snd„„(D„,/J MaN'})  t>  N*. 

lo  deal  with  terms  of  type  o-f  ft,  we  need  terms  ini,,  /*,  inr„/*,  and  case,, /ji7  of  types 
it  —  it  +  ft,  It  — *  it  -f  it  and  n  t-  ft  — *  (ft  — »  y)  — >  (ft  —*■>)—*  y  respectively  such  that 


case,,  ,*  (ini,,  :A1"  )/" 


'V~7  r>  /"-7A/' 


£3$ 


«  r  *  \d  \y  " 


lii 


A 


m 

mm 


H 


I *  s,«  i K'  t  *  fa* >  iM.«<i>».it 


’  KT.X71  'OT'Vl  XT’. 


case^Onr^A^/^V^  >  /-*7A^- 

We  will  also  want  to  have  natural  numbers  represented.  This  can  be  accomplished 
by  taking  one  of  the  atomic  type  symbols  to  be  N  and  postulating  atomic  terms  0Nof 
type  N,  aN~~Nof  type  N  — ►  N,  and,  to  represent  primitive  recursive  functions,  R0of  type 
a  — +  (N  — ►  a  — ►  or)  — »  N  — ►  a  such  that 

RaMaNN~a~aON  >  Ma 

and 

R aMa NN~a~a{ati-~NnN)  >  NN-'°—anN(RaMa  NN~a~a  nN), 

where  »»N  is  the  term  representing  the  natural  number  n,  that  is,  is  the  term 

<rN-N(<rN^»l(  (<rN-.N0M)  ))  (1.2) 

where  there  are  n  occurrences  of  <rN~*N. 

We  are  now  ready  to  define  extended  typed  A-terms. 

Definition  1.8  (Extended  typed  A-terms)  Assume  that  one  of  the  atomic  types  is 
N.  Assume  that  we  have  individual  term  variables  as  in  Definition  1.3  and  that,  in 
addition,  we  have  the  following  atomic  constants  for  any  types  a,  ft,  and  7:  D„  ^  of 
type  a  — ►  ft  —*  a  x  ft,  fsta tp  of  type  a  x  ft  — » a,  snd0i/j  of  type  a  x  ft-*  ft,  inla^  of  type 
a  — ►  a  +  ft,  inra  <j  of  type  ft  a  4-  ft,  case„ ,^i7  of  type  a  +  ft  -*  (a  — ►  7)  -♦  (ft  — ►  7)  —  7, 
0Nof  type  N,  <rN~*Nof  type  N  — *  N,  and  Ra  of  type  a  — ►  (N  — ►  a  — ♦  a)  — ►  N  — ►  a.  An 
atomic  term  is  a  variable  or  an  atomic  constant.  Extended  typed  terms  are  defined  as  in 
Definition  3  except  that  any  atomic  terms  may  occur  in  (a). 

Definitions  1.4  and  1.5  hold  for  extended  typed  terms  as  well  as  for  basic  typed 
terms.  For  reduction,  we  need  some  new  kinds  of  redexes.  The  redexes  of  Definition  1.6 
are  called  ft-redezes  to  distinguish  them  from  the  other  redexes  needed  here.  (On  the 
significance  of  this  name,  see  II  iudley  4:  Seldin  {IIS86]  Chapter  7) 

Definition  1.9  (Reduction)  Reduction  is  defined  as  in  Definition  1.6  except  that  in 
addition  to  /7-redexes  we  now  have  the  following  additional  redexes  (given  with  their 
contracta): 
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where  nNis  the  term  given  in  (1.2)  above. 
Definition  1.7  now  holds  as  before. 
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1.3  The  basic  theory  of  typed  A-calculus 

Let  us  begin  with  the  theory  of  basic  typed  A-terms  of  Definition  1.3. 

Lemma  1.1  (Replacement)  If  an  occui-rence  of  a  typed  term  Pa  in  a  typed  term 
is  replaced  by  another  term  with  type  n,  then  the  result  is  a  typed  term  of  type  0. 

Proof  By  induction  on  the  structure  of  .  ■ 

Theorem  1.1  (Invariance  of  reduction)  //  A/“>  N ,  then  N  has  type  a. 

Proof  By  Lemma  1.1,  it  is  sufficient  to  prove  that  types  are  preserved  by  changes  of 
bound  variable  and  that  a  contractual  has  the  same  type  as  its  redex.  This  will  follow 
in  both  cases  from  the  fact  that  [Na /jca]Mt>  is  a  term  of  type  0,  and  this  latter  fact  can 
be  seen  by  applying  Lemma  1.1  to  the  cases  of  l)efinitionl.5.  ■ 

We  noted  in  Section  1.2  above  that  reduction  corresponds  to  the  process  of  evaluating 
the  result  of  applying  a  function  to  an  argument.  Since  there  are  many  well-known 
calculations  that  never  come  to  an  end,  we  might  expect  to  find  typed  A-terms  that  can 
begin  reductions  continuing  forever.  In  a  trivial  sense,  most  typed  A-terms  begin  such 
a  reduction,  since  bound  variables  can  be  changed  whenever  they  occur.  But  changing 
bound  variables  does  not  really  correspond  to  a  calculation  step;  what  we  really  want 
to  know  is  whether  there  is  a  typed  terms  with  the  property  that  every  term  to  which 
it  reduces  contains  an  occurrence  of  a  redex.  It  turns  out  that  the  answer  is  no. 

Definition  1.10  (Normal  form)  A  term  is  said  to  be  in  normal  form  if  there  is  no 
occurrence  of  a  redex  in  it.  If  Ma>  N" ,  where  /V"  is  in  normal  form,  then  N "  is  said 
to  be  a  normal  form  of  Ma . 

Theorem  1.2  (Normal  form  theorem)  h’vcry  basic  typed  term  lias  a  normal  form; 
i.c.,  every  baste  typed  term  can  be  reduced  to  a  term  in  normal  form. 

Proof  Define  the  degree  of  a  type-symbol  to  be  the  number  of  occurrences  of  the  symbol 
>  in  it,  and  define  (lie  degree  of  a  redex  (\j:a  .M1')  Nn  to  be  the  degree  of  the  type  o  —  0 
of  the  abstraction  part  of  the  redex.  The  proof  is  by  an  induction  on  the  pair  (d.n), 
where  d  is  the  maximum  degree  of  any  redex  in  the  given  term  and  »  is  the  number  of 
occurrences  in  the  term  of  redexes  with  degree;  d.  The  pairs  an'  ordered  by  specifying 
that  (d,  n)  <  (d\  »')  if  and  only  if  either  d  <  d'  or  else  d  —  d'  and  n  <  Since  changing 
bound  variables  does  not  change  tin;  pair  associated  with  a  given  term,  it  is  sufficient  to 
concentrate  on  the  contraction  of  redexes.  At  each  stage  a  redex  ( Ax" .  M  is  chosen 

which  has  degree  d  and  is  such  there  is  no  occurrence  in  Nn  of  a  redex  of  degree  d.  The 
only  redexes  of  degree  d  in  the  eoutractum  [Nn /r'']M 11  are  substitution  instances  of 
those  occurring  in  Af'*;  hence,  if  the  pair  associated  with  the  original  term  is  (</,n),  then 
the  pair  associated  with  the  term  obtained  by  carrying  out  t  he  contract  ion  is  («/,  n  —  1)  if 
n  >  1  and  is  (</',w)  for  </'  <  d  if  u  —  1.  (Note  that  n  can  never  beO.)  Hence,  each  such 
cont  raction  leads  to  a  new  term  with  a  pair  lower  in  the  ordering  than  the  original  term. 


and  since  the  pairs  under  this  ordering  are  well  founded,  it  follows  that  the  reduction 
process  must  terminate  in  a  term  in  normal  form.  ■ 


Corollary  1.2.1  There  is  no  closed  basic  typed  \-term  tn  normal  form  with  an  atomic 
type. 

Proof  Let  P9  be  a  closed  term  in  normal  form  of  type  0,  where  0  is  an  atomic  type. 
Then  P9  is  not  a  variable,  and  since  0  is  atomic,  it  is  not  an  abstraction  term.  It  follows 
that  P9  is  an  application  term.  Suppose  it  has  the  form  PqP\  . . .  Pm ,  where  Po  is  not  an 
application  term  and  type  superscripts  are  omitted  for  convenience.  (Every  application 
term  can  be  written  in  this  form.)  If  Po  were  an  abstraction  term,  then  P 9  would  not 
be  in  normal  form.  It  follows  that  Po  is  a  variable,  and  hence  P9  is  not  a  closed  term, 
contrary  to  hypothesis.  ■ 

This  corollary  shows  that  the  normalization  theorem  gives  us  a  kind  of  consistency 
result.  For  if  void  is  one  of  the  atomic  types,  then  it  shows  that  there  is  no  closed  term 
in  normal  form  of  type  void.  Since,  as  can  be  easily  proved,  reduction  never  introduces 
any  new  free  variables  into  a  term,  it  follows  that  there  is  no  closed  term  in  any  atomic 
type,  and  hence  there  is  none  in  void. 

There  is  no  problem  about  extending  Lemma  1.1  and  Theorem  1.1  to  extended  typed 
terms.  Furthermore,  Theorem  1.2  can  be  extended  to  extended  typed  terms  involving 
(fst),  (snd),  (cast]),  (case2),  and  (Ri)  redexes.  But  as  soon  as  (R2)  redexes  are  allowed, 
there  is  a  problem,  for  it  is  possible  to  have  a  subterm  of  the  form  R aMa NN~'a~'a PN 
which  is  not  a  redex  but  which  becomes  a  redex  after  contractions  are  carried  out  in 
PN  on  redexes  of  lower  degree.  However,  there  is  an  alternative  method  of  proof,  which 
is  more  complicated,  which  proves  Theorem  l.l  for  extended  typed  terms  with  (R2) 
redexes.  In  fact,  this  stronger  method  of  proof  actually  proves  a  stronger  result  for  both 
the  basic  and  extended  systems. 

Theorem  1.3  (Strong  normalization  theorem)  Every  sequence  of  contractions 
starting  with  a  typed  \-term  terminates  tn  a  term  tn  normal  form. 

For  the  proof,  see  Bindley  be  Seldin  [HS8(i]  Appendix  2. 

Corollary  1.2.1  is  clearly  not  true  in  the  extended  system  with  terms  for  the  natural 
numbers,  since  0N  is  a  closed  term  in  normal  form  with  atomic  type  N.  However,  it  is 
possible  to  prove  that  there  is  no  closed  term  in  void.  The  proof  begins  like  the  proof  of 
Corollary  1.2.1,  but  becomes  more  complicated  at  the  point  of  analyzing  Po,  for  now  Pn 
might  be  an  atomic  constant,  and  we  need  a  case  for  each  one.  For  example,  we  have 
to  consider  the  possibility  that  it  is  fstQ  /j.  Furthermore,  P\  has  type  o  x  /?.  Since  Py 
is  in  normal  form  and  is  closed,  it  must  b<;  of  the  form  D„ contradicting  the 
assumption  that  P9  is  in  normal  form.  Similar  arguments  work  for  the  other  atomic 
constants.  This  proves; 

Corollary  1.3.1  If  one  of  the  atomic  types  is  void,  then  there  is  no  closed  term  of  type 
void 
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We  can  also  obtain  a  result  concerning  type  N. 


Corollary  1.3.2  Every  closed  term  of  type  N  reduces  to  a  numeral;  t.e.,  to  a  term  of 
the  form 

<TN-N(£rN^N(  (^NqN)  )) 

Proof  Given  a  closed  term  of  type  N,  let  PN  be  its  normal  form.  The  proof  is  by 
induction  on  the  structure  of  the  term  /jN.  Follow  the  proof  of  Corollary  1.3.1  through 
the  analysis  of  Pq\  there  are  now  additional  cases  in  which  it  may  be  0N,  <tn~*n,  or  R„. 
If  it  is  0N,  we  are  done.  Otherwise,  the  second  or  third  argument  must  be  a  numeral  by 
the  induction  hypothesis,  and  so  we  either  have  another  numeral  or  an  (R)  redex.  ■ 

We  would  now  like  to  prove  that  the  type  structures  introduced  in  section  1  form  a 
model  of  the  extended  typed  A-  terms. 

Definition  1.11  (Valuation)  A  valuation  for  a  given  type  structure  is  a  function  which 
assigns  to  each  variable  x"of  type  a  an  element  p(xn)  of  I)a.  If  p  is  a  valuation,  then 
[d/xa)p,  where  d  £  Da,  is  the  valuation  r  with  the  property  that  r(xa)  =  d  and,  for 
each  variable  y^distinct  from  xa,  r(yfi)  —  p(yli). 

Definition  1.12  (Assignment)  For  each  valuation  p  and  for  each  extended  typed  A- 
term  M ,  an  object  \M\f,  called  the  assignment  of  M  determined  by  the  valuation  p, 
or,  when  no  confusion  results,  the  assignment  of  Af,  is  defined  as  follows,  where  the 
notation  |A/|  is  used  when  no  confusion  results: 

(a)  |D0ip|  is  the  function  which,  given  d |  £  l)„  and  d->  £  Dp  as  arguments,  returns  the 
value  daJ3(di,d-2)\ 

(b)  jfsto.  pl  —  f$la,0  ■  *  Duy 

(c)  |snd„  p|  =  snda  P  :  Doxp  —  Dp, 

(d)  |inlu  p|  —  inla,p  -  Da  ►  Da+p; 

(e)  |inr„  p|  =  inr0  p  :  Da  ->  Du+p; 

(f)  |case„,pi7|  =  casen  p  .,  :  Dn+p  —  /A„_,  —  Dp.*. r  — 

(r)  |0N|  =  0; 

(h)  |itn~*n|  =  er; 

(i)  |R„|  is  the  function  which,  given  an  element  <1  £  />n  and  a  function  h 
Du  — *  D„  —*  D„,  returns  as  a  value  Ihe  funcliou  /  :  l)n  —  l)„  with  the  property  that 
/(0)  =  d  and  /(»  +  l)  =  /*(»*, /(»<)); 

(j)  | Na\  -  |A'/0~‘,(|(|A"|)  if  this  makes  sense  (i.e.,  if  |A/"~‘,,|  is  a  function  and 
|A'*|  is  an  object  in  its  domain), 

(k)  |Ai-".A/',|r  is  the  function  f  :l)„  —  /Apwhich,  for  each  element  </  £  D„.  returns 
| A/^| r ,  where  r  is  [d/x"]p. 

Theorem  1.4  For  each  extended  typed  X-tcrm  M"  of  type  o,  and  for  meh  valuation  p. 
| AT’ |  £  D„.  Furthermore,  if  M"  =.  A'  ",  then  |Af"|  -  |A"|. 
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Proof  The  first  part  is  proved  by  induction  on  the  structure  of  Ma .  The  second  part 
is  proved  by  showing  that  assignment  is  invariant  of  changes  of  bound  variable  and  that 
the  assignment  of  any  redex  is  equal  to  that  of  its  contractum;  this  follows  from  Defini¬ 
tion  1.12.  ■ 
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1.4  The  Churcli-Rosser  theorem  and  pure  A-calculus. 

As  we  have  seen,  every  reduction  sequence  starting  with  a  typed  A-term  terminates  in 
a  normal  form.  But  we  might  well  wonder  if  different  reduction  sequences  terminate 
in  different  normal  forms.  In  a  trivial  sense  they  do,  since  a  change  of  bound  variable 
applied  to  a  normal  form  leads  to  a  distinct  normal  form.  But  normal  forms  which  differ 
only  in  their  bound  variables  are  really  essentially  the  same.  What  we  would  like  to 
know  is  whether  or  not  there  are  any  typed  terms  which  have  two  or  more  truly  distinct 
normal  forms.  The  answer  turns  out  to  be  no:  all  normal  forms  of  a  given  typed  A-tenn 
differ  by  only  changes  of  bound  variables.  This  result  is  a  consequence  of  a  theorem  due 
originally  to  Church  &  Rosser  [CR36], 

Theorem  1.5  (Churo.li-Rosscr  Theorem)  If  M ,  N,  and  I1  arc  typed  tenns  such  that 
P  >  M  and  P  >  N ,  then  there  is  a  term  Q  such  that  M  >  Q  and  N  >  Q. 

All  known  proofs  of  this  theorem  are  too  long  and  complicated  to  be  given  here.  The 
most  readable  proof  is  probably  that  of  Rosser  [llos84]  pp.  342-343.  What  is  perhaps 
most  interesting  about  this  proof  (and  almost  all  other  published  proofs)  is  that  it 
makes  no  reference  to  the  type  structure;  it  remains  valid  if  all  of  the  type  superscripts 
are  deleted.  In  fact,  the  theorem  is  not  really  as  much  a  theorem  about  the  typed  A- 
calculus  as  it  is  a  theorem  about  the  X-calculus.  This  makes  it  worth  taking  a  brief  look 
at  the  pure.  A -calculus. 

Definition  1.13  (Pure  A-torms)  Assume  that  we  have  infinitely  many  variables  and 
perhaps  some  constants.  Then  the  (pure)  X-lerms  are  defined  as  follows: 

(a)  Variables  and  constants  are  A-torms; 

(b)  If  M  and  N  are  A-terms,  then  (M  N)  is  a  A-term;  and 

(c)  If  x  is  a  variable  and  M  is  a  A-term,  then  (A x.M)  is  a  A-term. 

Free  and  bound  variables,  substitution,  reduction,  and  conversion  are  defined  much  as 
for  typed  A-torms;  the  main  difference  is  that  typec.hocking  is  nol  needed  in  substilulioii 
or  in  forming  application  terms.  Clearly,  any  typed  A-t.crm  ran  be  transformed  into 
a  pure  A-term  by  deleting  the  type  superscripts.  On  the  other  hand,  there  are  purr 
A-terms  to  which  no  typed  A-  terms  correspond.  For  example,  the  term 


does  not  correspond  to  any  typed  term,  since  there  is  no  typed  variable  x"  with  a  type 
n  that  permits  the  formation  of  Furthermore,  the  term 

( Ax.xx)(Ax.xx) 

contracts  to  itself,  and  so  clearly  has  no  normal  form.  The  term 

( Ax.jxx)( A r  rrjr) 
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(Ax.xxx)(Ax.xxx)(Ax.xxx), 


and  so  clearly  lias  no  normal  form.  These  last  two  terms  represent  computations  that 
do  not  terminate;  the  first  one  represents  an  infinite  loop,  and  the  second  represents  an 
expanding  infinite  loop.  Nonterminating  computations  cannot  he  represented  by  typed 
terms. 

The  pure  A-calculus  diners  from  the  typed  A-calculus  in  another  respect.  The  typed 
A-terms  have  type  structures  as  models.  Hut  the  pure  A-calculus  does  not  have  such 
simple  models  in  terms  of  set  theory.  The  reason  for  this  is  that  in  the  pure  A-calculus, 
any  term  can  be  applied  to  itself:  if  M  is  a  term,  then  so  is  (MM).  Hut  the  standard 
axioms  of  set  theory  prevent  a  set-theoretic  function  (in  the  usual  sense  of  a  set  of 
ordered  pairs)  from  being  applied  to  itself  The  lypechecking  required  for  the  formation 
of  typed  application  terms  is  a  sufficient  restriction  to  ensure  that  the  terms  can  be 
modelled  as  functions  in  the  ordinary  set-theoretic  sense. 
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Although  the  typed  A-calculus,  which  we  saw  in  Chapter  1,  is  in  an  important  sense  the 
basis  of  the  theory  of  constructions,  the  theory  of  constructions  is  not  exactly  a  form  of 
typed  A-calculus;  it  is  actually  a  form  of  deductive  system  for  assigning  types  to  A-terms. 
There  are  a  number  of  such  deductive  systems,  and  we  will  look  at  a  several  of  them 
in  this  chapter.  The  ones  at  which  we  will  look  will  approximate  a  sequence  of  systems 
leading  from  the  weakest,  basic,  type  assignment,  to  the  strongest,  which  is  the  theory 
of  constructions  itself. 

We  begin  with  a  basic  system  of  type  assignment,  TA,  which  is  equivalent  to  the 
ordinary  typed  A-calculus.  This  system  is  much  weaker  than  the  theory  of  construct  ions, 
but  its  theory  illustrates  very  well  what  we  will  want  later  for  the  theory  of  constructions 
itself.  This  system  and  its  theory  are  considered  in  the  first  two  sections.  We  then 
proceed,  in  the  next  two  sections,  to  consider  the  second  order  polymorhpic  typed  A- 
calculus,  which  is  one  of  the  best,  known  generalizations  of  ordinary  type  assignment 
and  is  of  considerable  interest  to  computer  scientists  in  connection  with  polymorphism 
in  programming  languages.  We  will  see  some  of  the  strength  of  this  system. 

The  theory  of  constructions  is  a  form  of  what,  is  usually  called  generalized  type  as¬ 
signment,  which  we  will  consider  in  the  last  four  sections  of  the  diaper.  We  begin  first 
with  a  general  description  of  the  sort,  of  generalization  that  is  involved  (Section  2.5),  and 
we  then  see  (Section  2.(i)  why  systems  of  this  sort,  require  conversion  on  the  types.  We 
look  at  the  basic  system  of  generalized  type  assignment  in  Sect  ion  2.7,  and  we  see  t  hat  it 
is.  in  a  sense,  a  conservative  extension  of  ordinary  type  assignment.  Finally,  in  Section 
2.8,  we  look  at  some  stronger  systems  that  point  the  way  to  t  he  theory  of  constructions; 
the  mast  important  of  these  is  the  universal  fragment  of  the  type  theory  of  Martin-Lof. 
but,  as  we  shall  see,  this  system  is  not  even  strong  enough  to  interpret  the  second  order 
polymorphic  typed  A-calculus,  and  we  look  at  how  the  former  sysem  would  have  to  be 
strengthened  to  interpret  the  latter  We  end  with  some  limitations  on  t  lie  system  which 


results  from  this  strengthening  and  which  are  overcome  in  the  theory  of  constructions 
itself. 

It  is  worth  mentioning  that  it  is  desirable  to  interpret  the  second  order  polymorphic 
typed  A-calculus  in  systems  of  generalized  type  assignment  because  of  the  strength  of 
the  former,  which  we  will  sec  in  Section  2.4,  and  the  fact  that  we  have  a  method  for 
proving  the  consistency  of  the  latter.  In  general,  when  we  have  a  system  which  can 
be  proved  consistent  and  in  which  we  can  interpret  other  systems,  the  latter  systems 
are  shown  to  be  consistent.  As  we  shall  see  in  Chapter  5,  the  consistency  proof  for  the 
theory  of  constructions  leads  to  consistency  results  for  the  interpretations  of  a  number 
of  useful  theories  from  mathematics  and  iogic. 
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2.1  Type  assignment 

In  the  typed  A-calculus  as  defined  above,  terms  without  types  cannot  be  formed.  Hut  in 
most  programming  languages  with  type  discipline,  types  play  a  different  role:  instead  of 
preventing  terms  from  being  formed,  they  pick  out  of  a  set  of  terms  that  already  exist 
those  terms  that  arc  acceptable  to  a  programming  context  (such  as  a  compiler).  The 
terms  exist  independently  of  the  types,  and  the  relationship  between  the  types  and  the 
terms  is  established  by  a  process  of  assigning  types  to  terms. 

It  turns  out  to  be  easy  to  apply  this  approach  to  the  A-calculus.  We  need  only  assume 
that  we  are  dealing  with  the  pure  A-terms  of  Definition  1.13  and  give  a  systemmatic 
procedure  for  assigning  types  to  them. 

This  procedure  will  take  the  form  of  a  deductive  theory  or  system.  The  formulas  of 
the  system  will  all  have  the  form 

M  :  a, 

where  M  is  a  term  and  a  is  a  type.  The  axioms  will  be  formulas  assigning  types  to 
the  atomic  constants  if  there  are  any.  (For  the  moment,  let  us  make  things  simpler 
by  assuming  that  there  are  no  atomic  constants.)  We  also  need  to  assign  types  to  the 
variables.  In  the  definition  of  basic  typed  terms  (Definition  1.3),  we  postulated  that  each 
variable  came  with  a  type.  Here,  we  do  not  postulate  this.  Instead,  we  will  postulate 
that  in  any  particular  assignment,  types  are  assigned  to  the  variables  by  assumption.  In 
general,  F  will  be  a  set  of  such  assumptions;  i.e.,  1'  will  be  a  set  of  formulas  of  the  form 

Xj  .  ,  X'j  .  •  •  •  i  £t i  •  i 

where  j-|,  x->  ,...,  r.n  are  distinct  variables  and  «j,  o2,  ...,  n„  are  types.  Thus,  in 
general,  an  assignment  of  a  type  to  a  term  is  a  deduction  whose  assumptions  assign 
types  to  the  free  variables  in  the  term.  The  statement  that  M  :  <v  can  be  deduced  from 
a  set  of  assumptions  T  will  be  written 

r  b  M  :  n. 

If  we  look  at  the  definition  of  pure  A-terms,  we  will  see  that  we  have  taken  care 
of  assigning  types  to  the  atomic  terms  (constants  and  variables).  To  assign  tvpes  to 
compound  terms,  we  need  rules.  These  rules  will  have  to  correspond  to  the  clauses 
assigning  types  to  application  terms  and  abstraction  terms  in  the  definition  of  basic 
typed  A-terms,  Definition  1.3.  They  are  as  follows: 

( —  e)  If  F  b  M  :  o  —  )}  and  1'  b  N  :  o,  then  P  b  (A/A')  :  //. 

(— *  i)  If  P.  r.  :  n  b  M  : /?,  where  x  does  not.  occur  free  in  P,  then 

P  b  A r.M  :  n  -  lh 

Note  in  the  case  of  (~ >  i),  the  conclusion  of  the  rule  does  not.  depend  on  the  assump¬ 
tion  j •  :  <r,  whereas  the  premise  does.  We  say  that  the  assumption  is  discharged  by  the 
rule.  This  notion  of  discharging  an  assumption  is  quite  common  in  natural  deduction 
formulations  of  systems  of  logic,  which  were  introduced  originally  by  Jaskowski  [Jns31] 
and  denizen  [CenA-l]  and  were  extensively  studied  by  Prawitz  (Pratih)  .  In  these  systems. 
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t.lio  above  rules  would  usually  l>e  written  as  follows: 


( — »  e)  M  :  a  — >  ft  N  :  n 


[t  :  o] 

(-*  i)  M  :  ft 


MN  '■  0  A x.M  :  a  — »  0, 

where  in  (— >  i),  x  does  not  occur  free  in  any  undischarged  assumption,  and  where  the 
square  brackets  indicate  the  discharging  of  the  assumption  x  :  a  by  the  rule. 

Writing  the  rules  this  way  is  associated  with  writing  deductions  as  trees,  as  the 
following  examples  indicate: 

Example  2.1  Ax.x  :  a  — *  a  for  each  type  a. 

Proof 


Xx.x  :  a 


(-i-  1) 


Here  the  brackets  indicate  the  discharged  assumption,  and  the  number  “1”  is  used  to 
indicate  the  location  of  the  discharge.  The  importance  of  keeping  track  of  the  places  at 
which  assumptions  are  discharged  is  shown  in  the  following  example: 

Example  2.2  For  any  types  ct,  ft,  and  7,  we  have 

Xx.Xy.Xz.xz(yz)  :  (it  — *  ft  — *  7)  — >  (or  — ►  0)  —*  «  — *  7. 

Proof 


(x  :  «  —  ft  —  7] 


[.V  :  «  —  0] 


xz  :  ft  —  7 


xz(yz)  :  7 
Xz.xz(yz)  :  or  — *  7 


(-«  0 


Xy.Xz.xz(yz)  :  (0  —>(])—>  it  — *  7 


(  —*  i  2) 


Xx  Xy.Xz.rz(yz)  :  (it  7)  — *  ( cv  — *  ft)  —  it  — *  7. 


(  -  i  3) 


ll  is  important  to  note  that  an  assunipl ion  which  is  discharged  need  not  actually 
Used  Consider  the  following  example 
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Example  2.3  For  any  types  a  and  ft,  Xx.Xy.x  :  e*  — ►  /y  — ►  or  . 

Proof 


1 

[x  :  or] 

-  ( —  i  V) 

Xy.x  :  ft  —*  a 

Xx.Xy.x  :  «  — ►  ft  — >  « 


(—►!•-  1 ) 


Here,  the  assumption  discharged  at  the  first  step  is  y  :  ft,  which  does  not  actually  appear 
in  the  deduction.  The  v”  indicates  this  fact. 

This  method  of  writing  deductions  and  proofs  is  common  in  logic  and  is  appropriate 
for  theoretical  purposes,  as  we  shall  see.  Hut  many  non-logicians  may  be  uncomfortable 
with  writing  deductions  as  trees.  An  alternative  is  to  write  the  deductions  as  tables. 
The  three  examples  given  above  can  be  written  as  follows: 


Formula 


Assumptions 


Example  2.1' 

1. 

x  :  a 

Hyp 

1 

2. 

Xx.x  :  a  — < >  a 

M-i) 

Example  2.2' 

1. 

*  :  a  —+/?—>  7 

Hyp 

1 

2. 

y  :  (t  —>  ft 

Hyp 

2 

3. 

z  :  a 

Hyp 

3 

4. 

xz  :  ft  7 

!.»(-«*) 

1,3 

r». 

;/-  :  ft 

2,3  (-0) 

2,3 

0. 

x:(yz)  :  7 

4,  r>  (—  c) 

1,2,3 

7. 

X:.xz{y:)  :  a  —  7 

<>  (—  ') 

1,2 

8. 

Xy.Xz.xz(y:)  :  (a  -» 

/?)-'»- 7  7  (— ♦  i) 

1 

9. 

Xx.Xy.Xz.rz^y:)  : 

#(-  i) 

(<r  —  ft  —  7)  -*  (<» 

—  ft)  —  “  —  7 

Example  2.3' 

1. 

x  :  a 

II  vp 

1 

2. 

Xy.r  :  ft  -  •  a 

1  (-  i) 

I 

3. 

Xx.Xy.x  :  u  —*  ft  — 'a 

2(-  i) 

Nolo  that  hero  the  discharge  of  an 

assumption  is  indicated  by  the  removal  of  its  number 
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from  the  last  column,  and  that  if  (-+  i)  is  used  without  a  change  in  the  last  column, 
then  the  discharge  is  vacuous. 

One  feature  of  this  kind  of  system  is  that  these  proofs  can  all  he  obtained  by  working 
backwards.  Let  us  see  this  for  each  of  the  three  examples: 


Example  2.1"  We  want  to  prove 


b  Ax. x  :  ft  — *  a. 


The  only  rule  of  which  this  can  lie  the  conclusion  is  (— ►  i),  and  the  premise  must  be 

x  :  o  b  x  :  or . 

But  this  is  a  trivial  deduction  consisting  of  an  assumption.  ■ 


•liMWK 


Example  2.2"  We  want  to  prove 

b  Xx.Xy.Xz.xz(yz )  :  (ft  —  ft -t  7)  ->  (or  -*/?)-*«-»  7. 
This  must  be  the  conclusion  of  (— ►  i),  and  the  premise  must  be 

x  :  nr  —*■  ft  -+  7  b  Xy.Xz.xz(yz)  :  (it  — *  0)  — ►  nr  — ►  7. 
This  must  also  be  the  conclusion  of  (— < >  i)  with  the  premise 

x  :  0:  ►  ft  *  7 ,  y  :  a  —  ft  b  Xy.X z.xz(yz)  :  nr  -*  7. 
This  must  also  be  the  conclusion  of  (— >  i),  and  the  premise  must  be 
x  :  o  — ■  ft  —  7,  ;/  :  or  — ►  ft,  ;  :  «  b  x;(yr)  :  7. 

Now  this  must  be  the  conclusion  of  ( — *  e),  and  the  premises  must  be 
x  :  n  — •  /f  —  7,  »/  :  ft  —•  ft,  z  :  a  I-  xz  :  6  — *  7 


x  :  o  — »  /f  — *  7,  y  :  tt  —  /f,  z  :  n  b  j/z  :  5  (2-2) 

for  some  type  A.  Now  each  of  these  must  also  be  the  conclusion  of  an  inference  by  (— *  c). 
The  premises  for  (2.1)  must  be 

x  :  it  — ■  ft  —  7,  y  :  n  —  ft,  z  :  it  b  x  :  (  — *  fi  — *  7 


x  :  o  — *  ft  ■—  7,  !/  :  n  ft,  z  :  n  b  z  :  r 

for  some  type  ( ,  arid  it  is  clear  that  these  deductions  are  trivial  if  A  is  ft  and  c  is  o.  Then 
(2  2)  must  lie 

x  :  <1  -  -  d  *  ■, ,  y  11  -  •  d,  ;  :  n  b  r/z  :  ft, 
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and  its  premises  must  be 


x  :  or  7 ,  y  :  n  —>  ft ,  i  :  n  I- 


and 


x  :  or  —+/?—•■  7 ,  y  :  a  —  /I,  z  :  it  b  i 


These  two  deductions  also  become  trivial  if  £  is  n  .  ■ 


Example  2.3"  We  need  to  prove; 

h  Xx.Xi/.x  :  a  — *  fl — ►  ea. 

This  must  be  the  conclusion  of  an  infere  nce  by  (— *  i),  and  the  pre-inise  must  be 

x  :  at  (-  \y.T  :  — » e». 

This  must  also  be  the  conclusion  of  an  inference  by  (— >  i),  and  the  premise  must,  be 

x  ;  «,  i/  :  /?  h  x  :  it, 


which  is  a  trivial  deduction.  ■ 

This  style  of  finding  deductions  is  calle'd  the  refinement  style,  and  is  close  to  the 
usual  method  of  implementing  on  a  computer  procedures  for  constructing  proofs  in  this 
kind  of  system. 

Let  us  give  this  system  a  name;.  Note  that  for  technical  reasons,  we;  noe;d  one  addi¬ 
tional  rule  which  has  not  been  nexxled  in  the1  above;  example's. 

Dofuiitiem  2.1  (T1k;  typo-assigmne-.iit  system  TA)  The  system  TA  is  a  natural  de¬ 
duction  system.  Its  formulas,  calk'd  type;-  assignment  formulas,  are;  the  expressions  of 
the  form 

M  :  it, 

where  Af  is  a  pure;  term  and  it  is  a  (basic)  type1  symbol.  There  are'  ne>  axioms  'file*  rule  s 


are  as  follows: 


( — *  e)  M  :  a  — ►  0  N  :  n 

MN  :  (1 


(— 0  [*:«] 

M  :  0 

Xx.M  :  or  — ►  0 

(=«)  M:0 

N  :  0 


Condition:  x  :  a  is 

the  only  undischarged  as¬ 
sumption  in  which  x  oc¬ 
curs  free. 

Condition:  N  is  obtained 
from  M  by  change  of 
bound  variables  and  M  :  0 
is  not  the  conclusion  of  a 
rule. 


Note  that  rule  (=„)  cannot  occur  in  a  deduction  if  all  assumptions  are  of  the  form 
x  :  a,  where  x  is  a  variable.  The  rule  is  included  to  allow  assumptions  of  other  forms 
and  because  we  will  need  it  in  systems  we  will  take  up  later. 

There  are  several  things  to  note  about  this  system.  The  first  is  that  deductions 
invariably  follow  the  construction  of  the  term  to  which  a  type  is  assigned  by  the  con¬ 
clusion.  This  fact,  which  is  easy  to  see,  is  difficult  to  write  out  as  a  formal  theorem. 
It  is  known  as  the  subject-construction  theorem;  see  Curry,  Hindley  &  Seldin  [CHS72] 
Theorem  14DI,  p.  310.  (The  name  comes  from  the  fact  that  the  term  M  in  a  formula 
M  :  a  is  called  the  subject  of  the  formula.)  Nevertheless,  it  should  be  obvious  from  the 
above  examples.  One  result  of  this  theorem  is  that  it  is  fairly  easy  to  determine  the  type 
of  any  bound  variable.  Another  is  that  it  is  decidable  whether  or  not  a  given  term  has 
a  type.  See  the  discussion  in  Hindley  b.  Seldin  [II S8(>]  Chapter  l.r>. 

By  using  the  subject-construction  theorem,  we  can  obtain  results  for  deductions  in 
TA  corresponding  to  the  results  of  Section  1.3  above  for  basic  terms.  First,  we  need  to 
define  a  basis  as  a  set  of  assumptions  of  the  form 

A/j  ■  o  ( ,  .  .  .  ,  A/„  .  (v„ . 

A  variables-only  basis  is  a  basis  in  which  each  A/,  is  a  variable.  Then,  we  have  the 
following  analogue  of  Lemma  l.l: 

Lciuma  2.1  (Replacement)  Let  F]  be  any  basts,  and  let  V  be  a  deduction  giving 

I’l  H  a  Af  :  n. 

Let  P  be  a  term  occurrence  in  M,  and  let  Ax|  ,  . . . ,  Ax„  be  those  A  .s  whose,  scope  contains 
P.  Let  V  contain  a  formula  P  :  y  in  the  same  position  that  /’  has  in  the  construction 
trci  of  M,  and  hi 
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be  the  assumptions  above  P  :  7  that  air  discharged  by  applications  of  (— »  i)  below  it. 
Assume  that  P  :  7  is  not  in  l’i  .  Let  Q  be  a  tenn  such  that  FV(Q)  C  FV(/>),  and  let 
r2  be  a  basis  in  which  xi,...,xn  do  not.  occur  fire  such  that 

F2,  Jti  :  $1,  :  K  Ha  Q  ■  7- 

Let  M*  be  the  result  of  replacing  P  by  Q  in  M .  Then 

F,  ul’j  Ha 

Proof  See  llindley  ft  Sold  in  [HS8(i]  Lemma  15.1(5.  ■ 

Using  this  lemma  and  I, lie  subject-construction  theorem,  it  is  easy  to  prove  the  fol¬ 
lowing  theorem: 

Theorem  2.1  (Subject- reduction  theorem)  Let  1'  be  a  vartablcs-only  basis.  If 


and  M  t>  N ,  then 


V  Ha  a/  :  “ 


I'  l-TA  N 


Proof  See  llindley  Sold  in  [IIS8(i]  Theorem  15.17.  ■ 

From  these  results,  we  can  sec  that  deductions  in  TA  correspond  to  typed  terms  in 
the  sense  of  Deiinition  1.5. 

Definition  2.2  (Correspondence  between  deductions  and  terms)  For  each  de¬ 
duction  T>  of  TA,  a  typed  term  |P|  in  the  sense  of  Deiinition  1.5  whose  type  is  the 
type  of  the  conclusion  of  T\  is  defined  :us  follows: 

(a)  If  \l  :  o  is  an  assumption,  then  |A7  :  o|  is  a  typed  variable  j-"  of  type  or.  This  vari¬ 
able  must  he  so  chosen  that  it  is  not  assigned  to  any  other  assumption  which  is  not  also 
of  (he  form  Mca  ;  but  if  \l  :  a  is  a  discharged  assumption  then  the  same  variable  must 
be  assigned  to  any  other  assumptions-  of  the  form  M  :n  which  are  discharged  at  the 
same  inference  by  (  —  i); 

(b)  If  P  is 


A/  :  o  —  H 


M  N  :  ,t 


then  \V\  -2  |'P,H'P2|; 
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(c)  If  T>  is 


\x.M  :  o  — »  /? 

then  |X>|  =  At)  ’ . |T>i  |  where  v"  =  |.r  :  nr|. 


(  —*  •  1) 


(This  is  not  quite  a  one-to-one  correspondence  because  the  condition  on  typed  vari¬ 
ables  in  (a)  is  almost  impossible  to  satisfy  with  one  definition  for  all  deductions  in  a  way 
that  is  consistent  with  the  changes  of  bound  variables  required  to  define  substitution. 
But  for  any  small  set  of  deductions,  it  is  locally  a  one-to-one  correspondence.) 

This  correspondence  suggests  that  we  define  reduction  steps  for  deductions  as  well 
as  for  terms.  These  reduction  steps  turn  out  to  be  similar  to  the  3-reduction  steps  of 
Prawitz  [Pra(>5]  (see  Section  3.3): 

Definition  2.3  (/7-rod  notion  steps  for  deductions)  A  deduction  of  the  form 


k  :  «] 
*M*) 

A/  :  fi 

Ax. A/  :  o  —  fi 


(-i  I) 


( Xx.M)N  :  fi 


reduces  to 


7M/V) 

[N/x\M  :  fi 

n-A 

where  T>:<  is  obtained  from  P:)  by  replacing  appropriate  oceurreuces  of  (Xx.M)N  by 
[Ar/x)A7  according  to  Lemma  2.1. 

Psing  Definition  2.3  ,  we  can  prove  the  following  result: 
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Theorem  2.2  (Normalization  theorem  for  deductions)  Every  deduction  in  7/1 
can  be  reduced  to  a  deduction  which  cannot  be  reduced  further. 

This  can  also  be  proved  directly;  sec  llindlcy  tt  Scldin  [HS86]  Theorem  15.31. 

By  the  subject-construction  theorem,  it  follows  that  if  there  is  a  deduction  V  of 
M  :  a  from  a  variables-only  basis,  and  if  there  is  a  /7-redex  in  M,  then  V  can  be  reduced 
by  a  /7-reduction  step  for  deductions.  This  gives  us  the  following  corollary. 

Corollary  2.2.1  (Normalization  theorem  for  terms)  Let  f  be  a  variables  only  ba¬ 
sis.  If 

I'  I-ta  A/  :  <», 

then  M  has  a  normal  form. 

(See  Bindley  At  Seldin  [IIS8G]  Corollary  15.31.1.) 

A  deduction  which  cannot  be  further  reduced,  which  is  usually  called  a  normal 
deduction,  has  the  property  that  there  is  no  inference  by  (— *  i)  whose  conclusion  is  the 
major  (left)  premise  for  an  inference  by  (— *  e).  It  follows  from  this  that  if  one  takes  a 
normal  deduction  (in  tree  form)  and  starts  with  any  assumption,  whether  discharged  or 
not,  then,  as  one  proceeds  down  the  tree,  one  cannot  come  to  a  major  premise  for  an 
inference  by  (— ►  e)  below  an  inference  by  (— ►  i)  unless  one  passes  through  a  minor  (right) 
premise  for  an  inference  by  (— *  e)  in  between.  Let  us  define  a  branch  of  a  deduction 
to  be  a  sequence  Ai,Ay,...Au  of  formula  occurrences  such  that  A\  is  a  (discharged 
or  undischarged)  assumption,  for  each  i  <  n,  A;  is  the  premise  for  an  inference  (but 
not  the  right  premise  for  an  inference  hy  (— *  e))  and  A,+)  is  the  conclusion,  and  An 
is  cither  the  conclusion  of  the  deduction  or  else  the  right  premise  for  an  inference  by 
(— *  e).  Then  each  branch  consists  of  zero  or  more  left  premises  for  inferences  by  (—  e) 
followed  by  premises  for  inferences  by  (— »  i).  (Under  certain  circumstances,  a  branch 
may  begin  with  the  premise  for  ail  inference  by  (=„).)  It  follows  that  any  deduction 
proceeds  by  breaking  the  types  of  the  assumptions  down  into  their  constituent  parts 
and  then  putting  the  parts  back  together  to  get  the  type  of  the  conclusion.  There  are  a 
number  of  consequences  of  this  fact,  among  them  the  following: 

Corollary  2.2.2  (Subtype  property)  In  any  normal  deduction  in  TA,  every  type  ap¬ 
pearing  in  a  formula  of  the  deduction  is  a  subtype  of  the  type  of  one  of  the  assumptions 
or  else  of  the  conclusion. 

Another  consequence  of  this  structure  of  normal  deductions  is  the  following: 

Corollary  2.2.3  If  the  type  of  the  conclusion  of  a  normal  deduction  is  atomic,  then 
there  m  no  inference  by  (— »  i)  in  the  leftmost  branch  (i.e.,  the  branch  that  begins  with 
the  top  left  assumption  and  ends  until  the  conclusion  of  the  deduction). 
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Remark  It  is  not  hard  to  extend  this  theory  to  extended  typed  A-terms.  All  we  need 
lo  do  is  to  add  some  new  constants  and  assign  them  new  types  using  axiom  schemes  as 
follows: 


.*1  i 


(D)  Daj<  :  nr  —  /#  —  €»  x  /i, 

(fst)  fst„  ji  :  it  x  li  or, 

(snd)  snd„,/i  :  <»  x  fi  — » /?, 

(ini)  inl„  ^  :  n  -*  a  +  /?, 

(inr)  inr„  „  :  /?  —  o  -f  ft, 

(case)  case,,  ^  a  :  o  +  /t  —  (a  —  7)  -*(/?  —  7)  -*  7, 

(0)  0  :  N, 

(<r )  <r  :  N  — *  IM, 

and 

(R„ )  Rfr  :o  —  (N  —  «  — «)-*N  —  a. 

Wc  also  assume  that  those  constants  satisfy  the  contractions  obtained  from  the  first 
four  of  Definition  1.9  by  dropping  type  superscripts.  For  some  purposes,  as  we  shall  see 
in  Section  3.4,  we  arc  not  interested  in  the  constants  0,  <t ,  and  Ra.  The  system  without 
the  constants  0,  <r,  and  R„(and  without  the  atomic  type  N)  will  be  called  extended  TA. 
The  system  with  N,  0,  <r,  and  R„will  be  called  extended  TA  with  arithmetic. 
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2.2  Type  variables  and  principal  type  scheme 


As  we  saw  in  Example  2.1  above, 


Xx.x  :  n  — »  a 


for  every  tyi>e  o.  It  follows  that  if  0  is  any  atomic  type,  then 

Xx.x  :  0  —  0. 

It  seems  clear  that  any  other  type  assigned  to  Xx.x  can  he  obtained  from  the  type  0  — ■  0 
by  “substituting”  some  other  type  for  0.  it  would  be  nice  to  formalize  and  generalize 
this  property  of  type-assignment. 

The  notion  of  “substitution”  into  a  type  would  make  more  sense  if  we  had  type 
variables.  Hence,  we  extend  Definition  2.1  as  follows: 

Definition  2.4  (Type  scliem<*s)  The  atomic  type  constants  or  type  constants  will  be 
the  atomic  type  symbols  of  Definition  1.1.  YVe  assume  that  we  have  infinitely  many  type 
variables,  which  will  be  denoted  a,  6,  etc.  Then  type  schemes  are  defined  as  follows: 

(a)  Type  constants  and  typo  variables  are  (atomic)  typo  schemes; 

(b)  If  or  and  (1  arc  type  schemes,  then  so  is  (<►  •-»  /i). 

A  type  is  a  type  scheme  m  which  no  type  variables  occur.  A  type  scheme  /I  is  a  substitu¬ 
tion  instance  of  a  type  scheme  or  if  ft  is  obtained  from  o  by  substituting  types  for  type 

variables;  i.c.,  if  there  are  typo  variables  «| ,  do,  a nd  type  schemes  . 

such  that 

0  —  [7i A*i ,  •••.  7 

From  nowon,  we  will  assume  that.  TA  is  defined  using  type  schemes  instead  of  types. 
Now  the  property  of  type  assignment  that  we  noted  at  the  beginning  of  this  sec¬ 
tion  can  be  formulated  by  saying  that  any  type  or  type  scheme  assigned  to  Xx.x  is  a 
substitution  instance  of  n  —  n.  Wo  are  interested  in  knowing  which  terms  are  assigned 
a  type  scheme  with  the  property  that,  any  other  type  scheme  assigned  to  the  term  is 
a  substitution  instance  of  the  given  one.  A  type  scheme  with  this  property  deserves  a 
special  name. 

Definition  2.5  (Principal  type  scheme)  Let  M  be  a  closed  term.  Then  a  type 
scheme  o  is  railed  a  principal  type  scheme  (p.t ..«,-.)  of  M  if  and  only  if 


holds  for  a  type  scheme  r*'  when  and  only  when  o'  is  a  subslit  u  <>n  instance  of  n. 

*  Wc  arc  ignoring  for  tin-  moment  I  v|  >es  ,.  x  it  .tint  n  I  it.  I  tic  reasons  for  iliis  will  Income  ;i|»|i.iri-nt 
in  Sortioii  2.4  ImOow. 
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This  definition  clearly  works  only  for  closed  terms;  i.e.,  for  terms  with  no  free  vari¬ 
ables.  F'or  terms  with  free  variables,  we  need  to  generalize  this  definition.  First,  we 
define  an  F V(M)-basis  for  a  term  M  to  be  a  basis  of  the  form 

Mi  :  oi,  Mi  :  a2,  . . . ,  Mn  :  a„, 

in  which  each  Af,  is  a  variable  which  occurs  free  in  M . 

Definition  2.G  (Principal  pair)  Let  M  be  a  term  whose  free  variables  are 
xj,  X2,  ....  x„.  Then  a  pair  (r,a)  is  called  a  principal  pair  (p.p.)  of  M,  and  a  a 
p.l.s.  of  A/,  if  and  only  if  T  is  an  FV(M)-l>asis  and 

r'  l-TA  M  :  a 

holds  for  an  FV(M)-basis  r/  and  a  type  scheme  o'  when  and  only  when  F/  and  o'  are 
obtained  from  T  and  o  respectively  by  the  same  substitution. 

Example  2.4  Ax.x  has  p.t.s.  a  — *  a  . 

Example  2.5  Ax.xx  is  not  assigned  any  type  by  TA. 

These  examples  should  make  it  clear  that  the  following  theorem  holds;  its  proof, 
although  simple  in  principle,  is  complicated  to  write  out  and  will  not  be  given  here. 
(See  Hindley  &  Seldin  [IIS8G]  Theorem  15.26  and  Theorem  14.40.) 

Theorem  2.3  (P.t.s.  theorem)  Every  purr  \-tcrm  M  to  which  a  type  scheme  is  as¬ 
signed  by  TA  using  only  W(M)-bascs  has  a  p.t.s.  and  a  p.p. 

It  is  worth  noting  that  the  use  of  type  variables  makes  it  possible  to  make  general 
assertions.  The  fact  that  Ax.x  has  as  a  p.t.s.  a  — ►  a  means  that  it  has  type  rv  —  o  for 
all  types  o.  Thus,  a  statement  such  as 

Ki'a  Ax.x  :  a  — *  a 

makes  a  statement  about  all  types  o.  This  same  method  of  making  general  statements 
about  types  is  used  in  the  programming  language  ML  (see  Gordon  el  al.  (?]  and  Milner 
[MilS.5]  and  [Mil78]). 


2.3  Universal  quantification  over  all  types 

Wc  have  seen  how  to  use  type  variables  to  make  statements  about  all  types.  But  the 
system  we  have  above  is  still  not  what  is  usually  needed  for  making  and  using  such 
statements  in  a  programming  language.  For  example,  in  a  language  such  as  FORTRAN 
or  PASCAL,  programs  that  differ  only  in  the  types  of  their  variables  need  to  be  dupli¬ 
cated  and  compiled  separately.  A  language  such  as  ML  avoids  this  problem  by  using 
type  variables  and  having  a  rule  of  substitution  for  them.  We  could  easily  imitate  ML 
by  adding  a  rule  such  as 

M  :  o 

A/  :  [/*/«)'»  , 

but  this  seems  to  be  in  some  ways  incompatible  with  the  subject-construction  theorem. 
The  alternative  which  suggests  itself  is  to  add  an  explicit  universal  quantifier. 

A  system  with  this  explicit  universal  quantifier  is  already  known;  it  was  introduced 
independently  by  Girard  [Gir71]  and  Reynolds  (Rey74).  The  definition  of  type  is  ex¬ 
tended  by  specifying  that  if  a  is  a  type  variable  and  or  is  a  type,  then  (Va)a  is  a  type. 
For  this  to  make  complete  sense,  we  need  to  keep  track  of  the  types  of  bound  variables; 
thus,  if  the  type  of  x  is  or,  then  we  shall  write  Aj  :o  .  M  instead  of  A x.M .  For  example, 
the  identity  function  on  type  o  will  now  be  written  A x:<\  .  x.  If  we  take  the  type  to  be 
the  type  variable  a,  then  we  have  Xx:n  .  x,  which  has  type  n  — *  a.  Obviously,  some  term 
related  to  this  one  should  be  in  the  type  (V«)(«  —  «),  and  the  fact  that  the  term  has  this 
type  should  express  the  fact  that  in  TA  a  p.t.s.  <>f  Aj\j-  is  a  — >  <i.  To  construct  the  term 
wc  need,  wc  add  a  new  abstraction  operator,  from  a  type  variable  a  and  a  term  A/.  In 
our  example,  the  term  in  (Vu)(a  —  a)  is  Au  .  Xr:n  .  r.  To  go  with  this  new  abstraction 
operator,  we  need  a  new  application:  (  lie  result  of  applying  a  term  M  to  a  type-scheme 
ft  will  be  M  ft.  In  our  example,  we  will  have  the  term  (An  .  A x:a  .  r)ft,  which  we  expect 
to  be  assigned  type  ft  — <•  ft  and  to  reduce  to  Xx:ft  .  r.  In  general,  we  expect  to  have  the 
“/^’’-contraction  of  (Xa.M)ft  to  [ ft/a\M  .  We  also  have  the  following  new  type  assignment 
rules: 

(Ve)  A/  :  (Vu)o  ('oiiililion:  ft  is  a  type. 

M ft  :  [ft/u\n 


I*) 


M  :  o 

Xu.M  :  (Vu)o 


Co  million’  n  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 


One  effect  of  these  rules  is  to  give  us  functions  which  take  types  as  arguments  Such 
functions  cannot  be  represented  in  I  lie  type  structures  of  Section  2.1.  See  the  second 


Note  that  with  our  new  notation,  rule  (—  i)  is  now  written  as  follows: 

I 

l*  :  o] 

M  :  fl 

Xr:n  .  M  :  a  —  (f. 

The  system  defined  this  way  is  called  the  second-order  polymorphic  typed  A-calcnlus,  or, 
for  short,  second-order  A-calculns.  To  define  it,  we  have  the  following  formal  definitions: 

Definition  2.7  (Second-order  polymorphic  types  and  type  schemes)  Assume 
that  we  have  some  type  constants  and  infinitely  many  type  variables  as  in  Definition  2.4. 
Then  second-order  polymorphic  type  schemes  are  defined  as  follows: 

(a)  all  type  constants  and  type  variables  are  type  schemes; 

(b)  if  a  and  ji  are  type  schemes,  then  so  is  (nr  — >  /?);  and 

(c)  if  o  is  a  type  scheme  and  a  is  a  type  variable,  then  (Va)o  is  a  type  scheme.  An 
occurrence  of  a  type  variable  <i  in  a  type  scheme  or  is  said  to  bo  bound  if  it  is  inside  a 
subtype  scheme  of  the  form  (V«)n;  otherwise  it  is  free.  A  scroti d-oixlrr  poliimorphtc  type 
is  a  second-order  polymorphic  type  scheme  in  which  every  occurrence  of  a  type  variable 
is  bound.  The  sot  of  all  type  variables  free  in  a  is  called  l,’V(o  ). 

Definition  2.8  (Second-order  polymorphic  A-terms)  Assume  that  we  have  in¬ 
finitely  many  term  variables,  distinct  from  the  type  variables,  and  perhaps  some  con¬ 
stants,  each  constant  having  a  type  scheme  assigned  to  it.  Then  second-order  polymor¬ 
phic  \-tcrms  are  defined  as  follows: 

(a)  every  constant  and  variable  is  a  term; 

(b)  if  M  and  N  are  terms,  then  so  is  ( MN)\ 

(c)  if  x.  is  a  variable,  n  a  type  scheme,  and  M  a  term,  then  (Ar:r»  .A/)  is  a  term; 

(d)  if  A/  is  a  term  and  a  is  a  type  scheme,  then  Mn  is  a  term;  and 

(e)  if  a  is  a  type  variable  and  M  is  a  term,  then  (An. M)  is  a  term. 

An  occurrence  of  a  term  variable  x  m  a  term  I*  is  said  to  bo  bound  if  it  is  inside  a 
subterm  of  the  form  A xut  .  A/;  otherwise  it  is  free.  An  occurrence  of  a  type  variable  n 
in  a  term  P  is  bound  if  it  is  inside  a  .subterm  ol  the  form  An. A/;  otherwise  it  is  free.  I  In' 
set  of  all  term  and  type  variables  free  in  M  is  railed  l'V(Af). 

Definition  2.9  (Substitution)  Substitution  of  terms  Tor  term  variables  and  type 
schemes  for  tvpe  variables  is  defined  much  as  in  Definition  2.(>;  in  particular,  bound 
term  and  type  variables  are  automatically  changed  to  avoid  conflicts. 

Definition  2.10  (Change  of  hound  variables)  A  change  of  bound  variables  in  a 
type  scheme  or  term  is  any  of  the  following  replacements: 

(a)  (V/i)d  by  (Vl,)[b/<i],'l  if  b  <f  l'V(;t), 

its 


(b)  Aa.Afby  \b.[h/a)M  if  6  £  FV(  A/); 

(c)  Xx-.p  .  M  by  Xy.p .  [ y/x]M  if  y£  F V(  A/ ) . 

Definition  2.11  (/V- reduction)  For  terms  1 1  and  Q,  we  say  that  /’  p- reduces  to  Q 
( P  t>p  Q,  or  P  >  Q)  if  and  only  if  Q  is  obtained  from  P  by  a  finite  (perhaps  empty) 
series  of  changes  of  bound  variables  and  the  following  kinds  of  contractions: 

(p1)  (Xx:nt  .  M)N  [N/x]M\ 

(p-)  (Art ,M)a  >p  ( a/a]M . 

Conversion  is  defined  from  this  reduction  as  iti  Definition  1.7. 

Definition  2.12  (Tin.*  type  assignment  system  TAP)  TAP  (second-order  poly¬ 
morphic  type  assignment)  is  a  natural  deduction  system.  Us  formulas  are  the  type 
assignment  formulas 

M  :  n, 

where  M  is  a  second-order  polymorphic  term  (Definition  2.8)  and  nr  is  a  second-order 
polymorphic  type  scheme  (Definition  2.7).  TAP  has  axioms  which  assign  types  to  atomic 
constants  if  there  arc  any;  otherwise  it  has  no  axioms,  its  rules  are  as  follows: 


( — *  e)  \1  :  or 


AIN  :  p 

[*:«] 

M  :  P 

A  r  un  .  M  :  o  -- »  p 

A1  :  (Vrt)o 
A7  p  :  \P/a\(i 


Art.A7  :  (Vrt)n 


Condition: 

x  is  a  term  variable  which 
is  not  friar  in  any  undis¬ 
charged  assumption. 

Condition:  p  is  a  type 
scheme. 


Condition: 

a  is  a  type  variable  which 
is  not  free  in  any  undis¬ 
charged  assumption. 

(■ondition:  N  is  obtained 
from  M  by  changes  of 
bound  variables. 


B 


MM3 


cm? 


vmvwvsw 


(=")  M  :  0  Condition:  7  is  obtained 

— - -  from  0  by  changes  of 

'  ^  bound  variables  and  M  :  0 
is  not  the  conclusion  of  a 
rule. 


Notes 

1.  Rules  (=0)  and  (=")  have  not  been  postulated  in  the  literature;  however,  it  is 
standard  to  ignore  changes  of  bound  variables  and  the  rules  seem  necessary  to  for¬ 
malize  this  practice.  Note  that  while  rule  (=")  is  restricted  the  way  rule  (=„)  is  in 
TA  (Definition  2.1),  rule  (='a)  is  not.  In  fact,  if  the  latter  rule  were  so  restricted, 
it  would  be  impossible  to  deduce  statements  of  the  form  A a.M:  (V6)/?  unless  a  and 
6  were  the  same  or  there  were  an  assumption  of  this  form. 


2.  As  we  saw  above  we  now  have  functions  which  take  types  for  arguments,  which 
are  not  part  of  the  type  structures  defined  in  Section  2.1,  so  these  type  structures 
arc  not  models  for  TAP.  In  fact,  Reynolds  [Rey84]  has  shown  that  there  are  no 
models  for  TAP  in  which  the  types  are  interpreted  as  sets  as  in  type  structures. 
There  are  models  of  TAP  in  terms  of  category  theory,  but  many  people  who  do  not 
know  category  theory  do  not  find  such  models  helpful.  For  computer  scientists,  it  is 
probably  best  to  think  of  the  terms  of  TAP  as  having  only  computational  meaning. 


3.  Some  writers  use  a  different  notation:  M  {a}  instead  of  M  <\  and  A  a.M  for  A  a.M . 
The  notation  used  here  does  not  hide  any  important  distinctions  which  are  not 
clear  from  the  coin>  :t  and  is  somewhat  cleaner  than  the  alternative. 

Example  2.0  The  informal  discussion  before  Definition  2.7  corresponds  to  the  following 
formal  deduction  in  TAP: 


1 


\x:a  .  r  :  a  — *  a 

- (vi) 

An  .  Xx :u  .  j :  :  (Vu)(a  — *  a) 

-  (V,.) 

(An  .  A r.n  x)0  :  0  ---  0 

Note  that  the  term  in  the  conclusion  reduces  to  A r:0  .  x. 

For  the  further  theory  of  TAP,  including  the  normalization  theorem,  see  Fortune  el 
al  [FI.OK3]  and  Mitchell  ( M it.S(>) .  For  a  proof  of  the  Church-Rosser  theorem  for  the 
reduction  defined  in  Definition  10,  see  van  Hanlon  [DanXO],  tj  ll.fi. 


•1(1 


-  i*.  »« .  fr.’, 


2.4  The  power  of  second  order  quantification 


It  might  appear  that  the  next  order  of  business  is  to  add  the  type  forming  operators  x 
and  +  and  to  arrange  to  add  the  new  atomic  type  N.  However,  these  additions  turn  out 
to  be  unnecessary;  for  all  of  these  can  be  defined,  as  can  their  associated  functions. 


Definition  2.13  (Cartesian  produc.t  type)  bet  a  and  0  be  any  two  type  schemes  in 
TAP,  and  let  a  he  a  type  variable  which  does  not  occur  free  in  a  or  0.  Then  the  product 
type  scheme  a  x  0  and  its  associated  pairing  and  projection  operators  are  defined  as 
follows: 

(a)  a  X  0  =  (V«)((o  -♦(/?-*  a))  ->  a); 

(b)  Dai/j  =  Xx.a  .  Ay:/?  .  Aa  .  A 2:0  —►(/?—»  a)  .  zxy\ 

(c)  fsta  p  =  Ax:»  x  /?  .  xa(Xu:iv  .  Xv.0  .  u);  and 

(d)  snd„  J  =  Xx.a  x  /?  .  x0(Xu:a  .  Xv.0  .  v). 


It  is  not  at  all  difficult  to  prove  that  from  these  definitions  we  have 


D„,y  :«  —  (/?  — 

fst„,/j  : 

ox/? 

snd„y 

:  a  X  0 

that. 

Furthermore,  we  can  easily  see  that. 

fsh,,„(D n,„MN)  M 

and 


sndt,./((D„,„A'//V)=.  N. 


Definition  2.14  (Disjoint  union  typo)  beto  and  a  be  any  two  type  schemes  in  TAP. 
and  let  a  be  a  type  variable  which  does  not  occur  free  in  o  or  0.  Then  the  disjoint  union 
type  scheme  o  +  0  and  its  associated  injection  and  case  operators  are  defined  as  follows: 


(a)  o  +  0  =  (Va)((o  —  a)  ->  ((/?  —  a)  —  a)); 

(h)  ini,, %l)  ~  A r:a  .  Aa  .  A f  .n  — *  a  .  Ay:/?  — >  a  .  fx\ 

(c)  i n r ,,  ~  A;/:/?  .  Aa  .  A J.<\  —  a  .  Ay:/?  — »  a  .  yy; 

(d)  case,,  y  =  A::i»  -f  ,?  .  Aa  .  A/:n  —  a  .  Ay:/?  — >  a  .  zaf  g. 


It  is  easy  to  show  that  those  definitions  imply 

inl„ j,  :  it  —  a  +  /?, 
>nr„„(  :/?—»<»  +  /?, 
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case,,  :  o  +  /I  — >  (V«)((o  —  a)  -*  ((f)  -*a)->  a)). 

Furthermore,  it  is  easy  to  show  that  if  7  is  any  type  scheme  and  if  M ,  N,  F,  and  G  are 
any  terms  assigned  types  o,  ft,  «  — *  7,  and  /?  — >  7  respectively,  then 

case„^(inl„ ^M)yFG  =.  FM 

and 

case„/9(inr„i/,yV)7/‘,<';  =.  <7N. 

It  turns  out  that  we  can  also  define  the  type  void: 

Definition  2.15  (Void  type)  void  =  (Va)a. 

Then  if  M  :  void,  and  if  a  is  any  type,  then  Met  :  a.  It  follows  that  if  M  is  any  closed 
term  such  that  M  :  void,  and  if  0  is  any  type  constant,  then  MO  is  a  closed  term  assigned 
type  6  .  This  together  with  the  normalization  theorem  prove  the  following  result: 

Theorem  2.4  There  is  no  closed  term  M  such  that 

h-|  Ai>  M  :  void. 

We  can  also  define  the  natural  number  type  N: 


Definition  2.1G  (Natural  number  type)  (a)  N  =  (Vn)((a  — -  a)  — •  (a  — ♦  a)); 

(b)  0  =  An  .  Xx.a  — *  a  .  A y:a  .  y\ 

(c)  <t  =  Au:N  .  Aa  .  A x:a  — >  a  .  A y:a  .  x(uaxy); 

(d)  7 r  =  Au:N  .  sndN  n(u(N  x  N)  Q(DN  N00)), 

where  Q  =  \v  :  N  x  N  .  Djg  N(tr(fstrg  Ni'))(fstN  nu);  and 

(e)  R  =  Aa  .  Ax:a  .  Aj/:N  —*  a  —*  n  .  Ac:N  .  c(N  — *  «)/’( Ate  :  N  .  a:);, 

where  P  —  At'  :  N  — *  a  .  Xw  :  N  .  y(mr)(ti(irw)).  'I'he  term  n,  which  represents  the 
natural  number  n,  is  defined  to  be 


ff(«r(...(flrO)...)), 

where  there  are  11  occurrences  of  a. 

It  is  not  hard  to  show  that 

0  :  N, 

<r  :  N  —  N, 

a-  :  N  —  N, 

and 

R  :  (Va)(a  —  ( N  —  a  —  a)  —  N  — +  a). 
It  is  also  easy  to  show  that. 


n  An  .  A J  .n  ■ a  .  A y:<i  x(x(  (jy)...)). 
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where  there  are  n  occurrences  of  x  after  the  last  abstraction, 


irO  =«  0, 


w(<rn)  =.  n, 


and  also,  for  any  type  scheme  or  and  any  terms  M  and  N  of  types  o  and  N  — *  a  — *■  o 
respectively, 

RcxMNO  =.  My 


RaM  N(trn)  =.  Nn(RaMKn). 

Finally,  we  can  define  an  existential  quantifier  over  all  types  to  go  along  with  our  uni¬ 
versal  quantifier. 


Definition  2.17  (Existential  quantifier  over  all  types)  Let  ft  be  any  type  scheme, 
and  let  a  be  a  type  variable,  which  may  occur  free  in  ft.  Then  the  ezisteniial  quantifier 
over  all  types  and  its  associated  operators  are  defined  as  follows: 

(a)  (3a)/?  =  (V6)((Va)(f?  6)  — >  6), 

(b)  single,,  =  Ac  .  A x:[c/a\ft  .  Aft  .  A z:(Va)(ft  — *  b)  .  zcx, 

(c)  project,,  =  Xx:(3a)ft  .  Xb  .  A 2:(Va)(/?  — *  b)  .  zbs. 


It  is  easy  to  show  that 


single,,  :  (Vc)([c/a]/?  —  (3a)a) 


project^  :  (3 a) ft  -  (V6)((Va)(/?  -  6)  -  b). 


It  is  also  easy  to  show  that  if  a  and  7  are  type  schemes  in  which  n  does  not  occur  free 
and  if  M  and  F  are  terms  assigned  types  [a/a]/?  and  (Va)(/?  — ►  7)  respectively,  then 


project,, (single,,aAf)7/'’  =.  FnM. 


Thus,  we  can  think  of  single,,  as  a  kind  of  singleton,  or  one-tuple,  in  which  the  object 
has  type  [a/a]/?,  and  project^  is  as  close  as  we  can  come  to  a  projection  function.  Note 
that  the  type  for  single,,  tells  us  that  if  A/  is  a  term  of  type  [o/a]/?,  then  single^nA?  is 
in  type  (3a)/?,  and  the  type  for  project,,  tells  us  that  if  M  is  a  term  of  type  (3a)/?,  7  is 
any  type  scheme  in  which  a  does  not  occur  free,  and  F  is  any  term  of  type  (Va)(/3  —  7), 
then  project,,  M  yF  is  in  type  7;  this  gives  us  one  of  the  important  properties  of  existence 
in  logic,  as  we  shall  see  in  Section  .'l..r>. 

It  might  appear  that  we  can  obtain  a  true  projection  function  by  forming 


project„/V7/''  where  FnM  M.  Hut  this  fails  to  work,  for  in  this  case  /■’  must 


Aa  .  Aj':[o/a]/?  .  r, 
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which  has  type  (Va)([a/a]/?  — » [a/a]/?),  which  means  that  a  must  be  a  and  7  must  be 
[a/a]/?,  whicli  is  just  /?  itself;  thus,  a  occurs  free  in  both  a  and  7,  which  violates  the 
conditions  for  the  type  of  project^  given  above. 

Note  Most  of  the  terms  defined  in  this  subsection  which  have  type  schemes  as  param¬ 
eters  can  be  defined  as  terms  representing  functions  applied  to  these  type  schemes.  For 
example,  if  we  define 

D  =  Aa  .  A6  .  Da  6, 


then  for  any  type  schemes  a  and  /?, 


Da/?  =.  Da 


This  idea  also  works  for  fst,  snd,  ini,  inr,  case  and  R.  It  fails  to  work  for  single^  and 
project^  because  of  the  type  variable  which  occurs  free  in  /?  (in  the  interesting  cases) 
and  which  is  bound  in  the  definitions.  Furthermore,  since  we  do  not  have  in  TAP  any 
machinery  for  representing  functions  whose  values  are  types,  we  cannot  do  a  similar 
thing  for  a  x  /?  or  a  +  /?. 
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2.5  Generalized  type  assignment 

Although  the  two  term-forming  operators  — » and  V  may  appear  to  be  entirely  distinct, 
they  can  be  made  special  instances  of  a  more  general  type  forming  operator.  This  more 
general  operator  is  central  to  the  theory  of  constructions. 

This  more  general  operator  is  obtained  by  extending  the  meaning  of  “type”  in  TA 
by  defining  (Vx  :  a)  ft  to  be  a  type  whenever  o  and  ft  are  types  and  x  does  not  occur 
free  in  a.  Here,  x  may  occur  free  in  ft.  Thus,  the  notion  of  type  used  here  is  much  more 
general  than  the  notion  of  type  in  TA.  Hut  let  us  ignore  this  for  the  moment  and  look 
at  the  elimination  and  introduction  rules  for  these  types,  which  are  as  follows: 

(Vo  e)  M  :  (Vx  :  <*)/?  N  :  a 

MN  :  [N/x]ft, 

(Va  i)  [x  :  a] 

M  :  ft 

Ax:a  .  M  :  (Vx  :  <\)ft 

If  x  does  not  occur  free  in  ft,  then  (Vx  :  <%)ft  behaves  just  like  a  —  ft,  and  the  above 
rules  become  (— ►  e)  and  (— *  i).  Hence,  if  (Vx  :  it)ft  is  a  type  whenever  o  and  ft  are  types, 
then  a  — >  ft  can  be  defined  to  be  (Vx  :  <\)ft  for  a  variable  x  which  does  not  occur  free  in 
either  a  or  ft. 

Systems  like  this  are  called  systems  of  generalized  type  assignment,  and  are  covered 
in  llindlcy  k  Seldin  [IIS8G]  Chapter  l(i  and  in  the  references  given  there.  Note  that,  de¬ 
notation  is  different  there,  since  what  we  are  denoting  by  (Vx  :  r»)ft  is  liter*'  denoted  by 
Gn(Xx.ft),  and  what  is  there  denoted  by  Gnft  is  here  denoted  by  (Vx  :  o)(/tx). 

As  we  noted  above,  the  definition  of  type  needed  for  this  sort,  of  system  is  much 
more  complicated  than  that  us«'<I  in  TA.  In  TA  it  is  sufficient  to  define  types,  and  except 
for  type  variables  there  are  no  variables  which  occur  in  types.  Hut  here,  in  order  to 
have  a  system  which  is  really  more  interesting  than  TA,  it  is  necessary  to  have  types  in 
which  term  variables  occur.  This  means,  in  effect,  that,  we  need  not  only  types,  but  also 
functions  whose  values  are  types.  Ilcnc.e,  any  formalism  for  generalized  type  assignment 
must  include  terms  representing  such  functions. 

Systems  of  generalized  type  assignment  can  be  classified  by  the  kinds  of  functions 
they  have  whose  values  are  types,  and  in  particular  by  what  kinds  <>f  domains  such 
functions  can  have.  The  simplest  assumption  to  make  about  such  functions  is  that  I  lie 
domains  are  all  universal;  i.e.,  if  r»  is  any  type  function  of  n  arguments  and  M  is  any  term 
whatsoever,  then  oM  is  a  type  function  of  n  —  I  arguments  (where,  of  course,  n  >  ] ). 
A  system  of  this  sort  is  called  basic  generalized  type  assignment.,  and  we  shall  look  at 
such  systems  in  Section  2.7.  The  only  alternative  is  to  allow  functions  whose  values 
are  types  over  restricted  domains.  One  possibility,  for  example,  is  to  allow  functions 
whose  values  are  types  when  the  arguments  are  natural  numbers,  but  not  necessarily 


('omiiltnii:  x  docs  not  oc¬ 
cur  free  in  a  or  in  any 
undischarged  assumption. 


otherwise.  Including  functions  of  this  kind  complicates  the  definition  of  the  systems: 
either  the  definition  of  type  and  type  function  must  list  each  restricted  domain  used, 
or  else  the  machinery  of  type  assignment  itself  must  be  used  to  define  Die  functions 
involved.  We  shall  sec  more  about  this  in  Section  2.8. 
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2.6  The  need  for  conversion  rules 


Before  we  proceed,  we  need  to  consider  the  question  of  conversion.  In  TA,  we  have  the 
subject-reduction  theorem  (Theorem  2.1),  which  says  that  type  assignment  is  invariant  of 
reduction.  As  we  shall  see  below,  a  similar  result  holds  for  generalized  type  assignment. 
For  this  reason,  we  have  not  paid  attention  to  conversions  among  terms  to  which  types 
are  assigned.  Furthermore,  in  '1A,  the  structure  of  the  types  is  so  simple  that  the 
question  of  conversions  between  types  just  does  not  come  up.  But  in  generalized  type 
assignment,  the  structure  of  types  is  more  complicated,  and  so  interesting  conversions 
arise. 

The  best  example  of  this  can  be  seen  in  terms  of  the  system  TAGU  of  Section  2.8 
below  (Definition  2.24).  Suppose  one  of  the  types  is  U  of  that  system,  and  suppose 
we  internalize  the  definition  of  —►(which  we  discussed  in  Section  5)  as  follows  (using 
Curry’s  notation): 

F  =  Au:ll  .  Aiell  .  (Vz  :  n)t>. 

It  is  not  hard  to  show  that  F  has  type  (Vu  :  U)(Vu  :  U)U.  Now  suppose  we  have,  for 
a  :  U  and  ft  :  U, 

M  :  F  a  ji 


and 


N  :  a 


We  would  like  to  be  able  to  conclude 


M  N  :  /f. 

However,  to  do  this  with  our  rules  requires 

M  :  (Vj-  :  a )/t, 

whereas  all  we  have  is 

M  :  (A«:U  .  Ar:U  .  (Vj:  :  u )r)a,d. 

It  is  true  that  this  latter  type  converts  to  (V.r  :  a)/),  but  with  the  rules  we  have  so  far 
this  is  no  help. 

To  solve  this  problem,  we  introduce  the  following  rule: 


( F’q") 


M  :  a 


=  .  ,t 


M  :  ii 


(On  the  reason  for  the  name  of  this  rule,  see  llindley  ,V  Sold  in  [IlSSti]  Section  Mlv) 
This  rule  is  often  written  as  follows: 


ji' 


i  * ik*'1  tia 


It  miglit  appear  that  the  introduction  of  this  rule  significantly  complicates  the  nature 
of  deductions  and  raises  problems  with  the  subject-construction  theorem.  But  in  fact  it 
is  possible  to  limit  the  places  in  which  this  rule  is  used: 

Theorem  2.5  In  a  system  of  generalized  type  assignment  in  which  the  rules  are  (Va  e), 
(Var  i),  (=!,)  and  (Eq”),  ( and  in  which  there  may  be  axioms),  any  deduction  can  be  trans¬ 
formed  into  another  deduction  with  the  same  undischarged  assumption  and  conclusion 
in  which  each  inference  by  rule  (Eq”)occ«rs  either  just  above  the  major  (left)  premise 
for  an  inference  by  rule  (Va  e)  or  else  just  above  the  conclusion. 

Proof  This  follows  from  the  fact  that  the  following  transformations  can  be  carried  out 
systematically  throughout  any  deduction: 


\x:o  .  M  :  (Vr  :  0)7 


(Va  i  1) 


A t:<\  .  M  :  (Vr.  :  n)() 


(Va  i  I) 


A r.a  .  M  :  (Vr  :  0)7 


Vx 

M  :  (Vx  :  0)f 


MN  :  [N/x] 7 
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M  :  (V*  :  ft)y 
M  : (Vx  :  0)7 


(Eq") 


Af/V  :  [A//x]7 


V 

M  :  o 
A/  :  ft 


(E<i") 


N  :  ft 


V 

M  :  o 

yv  :  o 


(=:,) 


N  :  ft 


P2 
N  :  a 


(=:.) 


(K-l") 


(Vo  <-) 
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2.7  Basic  generalized  type  assignment 

As  we  noted  in  Section  2.5,  the  simplest  form  of  generalized  type  assignment  assumes 
that  any  term  can  lie  any  argument  of  any  type-valued  function.  The  system  based  on 
this  assumption  is  called  basic  generalized  type  assignment ,  abbreviated  TAG. 

The  first  step  in  defining  this  system  is  to  define  the  terms  and  the  types.  In  this 
case,  the  types  will  all  be  terms,  so  we  begin  with  the  terms.  Because  type  functions 
will  take  any  terms  as  arguments,  it  turns  out  to  be  convenient  not  to  carry  along  in 
the  notation  the  type  of  each  bound  variable. 

Definition  2.18  (TAG  terms)  The  terms  of  TAG  are  defined  from  countably  many 
term  variables  X; ,  x 2,  . ..,  x„,  ....  and  some  term  constants,  including  a  finite  or  infinite 
sequence  of  constants  ....  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M  and  N  are  terms,  then  so  is  (M  N)\  and 

(c)  if  x  is  a  term  variable  and  A  and  M  are  terms,  then  (Ax.M)  and  (Vx  :  A)M  are 
terms. 

With  each  constant  0,  is  associated  a  non-negative  integer  dg(fl;)  called  its  degree.  The 
constants  0,-  are  called  type  constants. 

Reduction  for  TAG  terms  will  be  defined  as  in  Definition  1.6;  The  only  possible 
contractions  in  a  term  of  the  form  (Vx  :  A)M  will  bo  those  which  take  place  entirely 
inside  A  and  M . 

Now  we  can  define  the  types  and  type  functions.  Kacli  type  function  will  have  a  rank 
(the  number  of  occurrences  of  V)  and  a  degree The  types  will  be  the  type  functions  of 
degree  0. 

Definition  2.19  (Atomic  typo  function)  A  term  n  is  said  to  be  an  atomic  type  func¬ 
tion  of  degree  n  if  and  only  if 

where  0  is  a  type  constant  of  degree  k  +  n  and  A/| ,  Mo,  . . . ,  Mk  are  any  terms. 

Definition  2.20  (Proper  TAG  type  functions)  The  term  a  is  a  proper  TAG  type 
function  of  rank  in  and  degire  11  if  and  only  if  one  of  the  following  conditions  is  met: 

(a)  a  is  an  atomic  type  function  of  degree  n  and  m  =  0; 

(b)  ti  =  Ax./f,  where  ft  is  a  proper  TAG  type  function  of  rank  m  and  degree  n  —  1  (and 
where,  of  course,  »  >  0); 

(c)  or  =  (Vx  :  R)f,  whore  fi  and  7  are  proper  TAG  type  functions  of  degree  0,  n  —  0, 
and  rn  =  l  +  rank(,f)  +  ratify). 

2  I  he  niinihei-  of  arfuimcnls  nmlcd  to  pt  nd  ore  a  i  v | >. -  The  of  a  ty|x*  constant  is  a  special 

case  of  the  decree  of  an  atomic  type  function,  which,  in  turn,  is  a  special  case  of  the  decree  of  a  typo 
film  I  inn. 


Definition  2.21  (TAG  type  functions)  The  term  rr  is  a  TAG  type  funclton  of  rank 
m  and  degree  n  if  and  only  if  there  is  a  proper  TAG  type  function  ft  of  rank  rn  and 
degree  n  sucli  that  a  >  ft.  A  TAG  type  is  a  TAG  type  function  of  degree  0. 


Theorem  2.6  The  degree  and  rank  of  a  TAG  type  function  are  unique.  Furthermore , 
TAG  type  functions  have  the  following  properties: 

Tl.  If  a  is  a  TAG  type  function  of  rank  m  and  degree  n  and  if  ft  is  any  term  such  that 
a  =.  ft,  then  ft  is  a  TAG  type  function  of  rank  tu  and  degree  n; 

T2.  If  a  is  a  TAG  type  function  of  rank  m  and  degree  n,  then  Xx  .it  is  a  TAG  type 
function  of  rank  m  and  degree  n  +  1,  and  conversely; 

T3.  If  a  is  a  TAG  type  function  of  rank  m  and  degree  n  +  1  and  if  M  is  any  term,  then 
ctM  is  a  TAG  type  funclton  of  rank  m  and  degree  n;  and 

T4.  (Vx  :  a)  ft  is  a  TAG  type  funelion  of  rank  m  and  degree  0  if  and  only  if  a  and  ft  are 
TAG  type  functions  of  ranks  j  and  k  respectively  and  degree  0  and  m  =  1  +  j  +  k. 

Proof  See  Hindley  A  Seldin  [IIS86]  Theorem  16.27  and  Remark  16.28.  ■ 

Definition  2.22  (The  type  assignment  system  TAG)  The  system  TAG  is  a  nat¬ 
ural  deduction  system.  Its  formulas  have  the  form 

M  :  a, 

where  M  is  a  term  and  a  is  a  TAG  type.  TAG  has  no  axioms.  Its  rules  are  (Vo  r). 
(Vo  i),  (ICq")  and  «). 

Remark  It  might  seem  unnecessary  to  postulate  rule  (Kq")  here',  since  the  argument  of 
Section  2.6  does  not  apply  to  this  system.  Hut  it  is  traditional  to  postulate  it,  especially 
since  in  the  earliest  versions  (Vi  :  n)ft  was  only  an  abbreviation  for  Gn(Xx.ft),  and  rule 
(Vo  e)  had  to  be  obtained  from  the  following  rule: 

M  :  Get  ft  N  :  it 

MN  :  (IN. 

To  obtain  our  rule  (Vo  e)  from  this  rule  requires  rule  (|',q");  indeed,  to  use  the  elimina 
1-ion  rule  given  here  in  a  nontrivial  way  requires  rule  (Kq").  See  lliudley  X-  Seldin  [IISS6] 
Section  161)2. 

I  he  t  heory  oT  FAG  is  similar  to  the  theory  of  TA  (Section  2.1 ).  There  are  some  com¬ 
plications,  but  for  the  case  we  are  considering  here  they  are  not  serious.  For  example, 
rules  (Kq”)  and  (  =  ^)  complicate  the  subject-construction  property,  but  a  version  of  the 
property  holds  (see  Hindley  A  Seldin  [IIS86]  Remark  16.37).  The  replacement  lemma 
(Lemma  2.1)  needs  some  modification,  but.  a  version  of  it  can  be  proved  that  will  work 
with  the  subject -reduction  theorem  (Theorem  2.1),  which  holds  for  /^-reduction,  (lliud¬ 
ley  A  Seldin  [IISS6]  Lemma  16.31)  and  Theorem  16.-11).  The  normalization  theorem  for 
deductions  (Theorem  2.2)  also  holds  (Hindley  A:  Seldin  [IlSSti]  Theorem  16  1)) 
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In  fact.,  TAG  is  not  much  stronger  tlian  TA.  It.  can  he  shown  tiiat  if  a  term  is  assigned 
a  type  hy  I' A(l,  then  it  is  assigned  a  type  by  TA,  although  TAG  may  assign  more  general 
types.  (See  Hindley  &  Seldin  [HS86]  Theorem  16.01.)  And  if  all  of  the  type  constants 
have  degree  0,  then  TAG  is  equivalent  loTA  (Hindley  it  Seldin  [HS86]  Corollary  16.61.1). 
These  facts  may  appear  to  show  that  TAG  is  too  weak  to  be  interesting.  Perhaps  it  is 
better  to  take  them  as  showing  that  TAG  is  a  kind  of  conservative  extension  of  TA,  and 
thus  that  the  basic  formalism  on  which  TAG  is  hased  is  sound.  This  can  give  us  some 
confidence  in  extending  TAG,  as  we  now  proceed  to  do  in  the  next  section. 
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2.8  Extended  generalized  type  assignment 

As  we  noted  at  the  end  of  Section  2.1,  there  are  two  ways  to  generalize  TAG:  one  is  to 
modify  the  definition  of  type  to  allow  certain  special  types  (such  as  the  type  N  of  natural 
numbers)  to  serve  as  restricted  domains  for  type  functions,  and  the  other  is  to  use  the 
machinery  of  type  assignment  itself  to  define  the  types.  Since  the  second  approach  is 
obviously  more  general,  we  shall  adopt  it  here. 

Thus,  we  now  suppose  that  that  there  is  a  type  of  types,  or  a  “universal”  type, 
which  for  now  we  shall  call  U.  All  the  types  in  which  we  are  interested  will  be  in  U. 
The  system  we  shall  define  here  will  he  called  “TAGli”.  The  reasons  we  had  for  not 
supplying  the  type  of  a  bound  variable  no  longer  apply,  so  we  shall  return  to  the  more 
familiar  notation. 

Definition  2.23  (TAGU  terms)  The  terms  of  TAG  1 1  are  defined  from  countably 
many  term  variables  xi,  X2,  ■  ■  ■ ,  xn,  •  ■  ■ ,  and  some  tervi  constants,  which  include  U,  as 
follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M  and  N  are  terms,  then  so  is  (M  /V);  and 

(c)  if  x  is  a  term  variable  and  A  and  M  are  terms,  then  (Ax  :  A. M)  and  (Vx  :  A)M  are 
terms. 

Reduction  for  TAGU  terms  will  be  defined  using  the  /i'-redexes  of  Definition  2.1 1 . 
The  only  possible  contractions  in  a  term  of  the  form  (Vx  :  A)M  arc  those  which  take 
place  entirely  inside  A  and  M. 

Definition  2.24  (The  tyjK;  assignment  system  TAGU)  The  system  TAGU  is  a 
natural  deduction  system.  Its  formulas  have  the  form 

Af  :  A 

where  M  and  A  are  terms.  It  has  no  axioms.  Its  rules  are  (K<|,/),  (=J,),  and  the  following: 
Rules  of  type  formation: 


(V  Formation) 


(E<|'U) 


[x  :  A] 


('ondition:  r  does  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 


(Vx  :  A)lt  :  U 


A  =.  H 


Es! ym 


'■tt'Si 


Rules  of  type  assignment: 

(V  c)  M  :  (Vx  :  A)B  N  :  A 
MN  :  [N/x]B 

Condition:  x  docs  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 


Rule  (Eq'U)  is  a  natural  rule  to  go  with  rule  (Eq").  We  can  extend  the  proof  of 
Theorem  2.5  to  virtually  eliminate  it  from  any  deduction. 

Theorem  2.7  Every  deduction  in  TAGU  can  be  transformed  into  a  deduction  with  the 
same  undischarged  assumptions  and  conclusion  in  which  each  inference  by  either  of 
rules  (Eq")  and  (Eq'U)  occurs  just  above  the  major  (left)  premise  for  an  inference  by 
rule  (Eq'U)  (in  which  case  it  is  an  inference  by  rule  (Eq''))  or  just  above  the  minor 
(right)  premise  for  an  inference,  by  rule  (VUi)  (in  which  case  it  is  an  inference  by  rule 
(Eq'U))  or  just  above  the  conclusion .J 

Proof  Note  that  each  rule  which  discharges  an  assumption  of  the  form  x  :  A  has  a 
premise  of  the  form  A  :  U  which  docs  not  depend  on  the  discharged  assumption.  Let  us 
call  the  deduction  of  this  latter  premise  the  independent  subdeduction  of  the  rule  and 
the  deduction  of  the  other  premise  the  dependent  subdeduction.  The  proof  is  obtained 
by  transformations  which  move  an  inference  by  one  of  the  equality  rules  from  an  inde¬ 
pendent  subdeduction  of  a  rule  to  the  dependent  subdeduction  of  the  same  rule  or  else 
to  below  the  conclusion,  from  a  dependent  subdeduction  to  below  the  conclusion,  from 
just  above  a  minor  premise  of  (V  e)  to  just  above  the  major  premise,  or  from  just  above 
an  inference  by  (=£,)  to  below  the  conclusion.  If  an  inference  by  rule  (Eq")  occurs  just 
above  an  inference  by  rule  (Eq'U),  then  the  transformations  moving  the  latter  inference 
are  applied  before  an  attempt  is  made  to  move  the  former  (since  clearly,  an  inference 
by  rule  (Eq")  occurring  just  above  an  inference  by  rule  (Eq'U)  cannot  be  moved  be¬ 
low  it.  without  invalidating  it).  The  bust  two  kinds  of  transformations  are  II  and  III  of 
Theorem  2.5;  in  addition,  we  now  need  the  following  transformations: 

■*Nole  that  it  is  possible  to  have  an  inference  by  rute  (lvqfU)  followed  immediately  by  an  inference 
by  ride  (ICq"),  the  conclusion  of  which  is  the  conclusion  of  the  deduction.  Ill  this  case,  the  inference  by 
rule  (Kq'U)  will  be  regarded  as  occurring  just  above  the  conclusion. 


(VUi)  [x  :  A] 

M : B  A:  U 

Ai:r4  .  M  :  (Vx  :  A)B 


n; 

111 

p 
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the  best  we  can  do  is  the  transformation  which  takes 


1 

[x:A\ 

Vx 

M  :  B 


V2 
C  :  U 

-  (Kq'U) 

A  :  U 


Xx:A  .  M  :  (Vx  :  A)B 


V3 


(VU  i  -  1) 


to 


1 

[r:C] 


x  :  A 


(Eq") 


V\  D-i 

M  B  C  :  U 


A x:C  .  M  :  (Vx  :  C)B 


A x:C  :  A)B 


(Eq") 


(VU  i-  1) 


Note  that  this  transformation  changes  the  type  of  the  bound  variable  in  the  term  to  the 
left  of  the  colon,  and  therefore  cannot  be  used  with  this  theorem. 

This  system  is  a  part  of  the  type  theory  of  Martin-Lbf,  and  is,  in  fact,  one  of  tin; 
most  important  parts;  see  the  references  listed  under  his  name.  At  the  same  time,  the 
system  has  sonic  weaknesses.  For  example,  it  is  weaker  than  TAP.  the  condition  A  :  U 
in  rule  (VUi)prevents  inferences  corresponding  to  those  by  rule  (Vi)in  TAP  because  U  :  U 
does  not  hold.4  There  are  several  ways  one  might  extend  this  system.  One  might  follow 
Martin-bof  himself  by  introducing  more  universes.  Thus,  the  type  U  would  become  Uo. 
and  a  new  sequence  of  types  U| ,  Ut,  ....  U„,  . .  .(finitely  or  infinitely  many)  would  be 
introduced  with  axioms  such  as  U„  :  U„+|  and  rules  such  as  the  following: 


A  :  U„ 


A  :  U„+l 


Then  in  rules  (V  Formation)  and  (VUi),  U  may  be  replaced  by  any  U„.  Hut  this  system 
is  still  weaker  than  TAP. 


1 1n  fuel,  wMing  U  :  U  l«t  TACHI  Hi.Lkr*  tin-  syslrni  iiiconsislriit;  see  [Ci>c|S(>a]. 


i  nwwwwwrwj 


Another  way  to  extend  TACU  is  to  add  two  more  rules:  the  formation  rule 


[*;U] 


Condition:  x  docs  not 


^  .  y  occur  free  in  any  undis- 

_  charged  assumption. 

(Vi  :  U)A  :  U 


and  the  type  assignment  rule 


[i:U] 

M  :  A 

Ax:U  .  M  :  (V*  :  U)A. 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 


Tiiis  system  is  called  TACL  in  Ilindley  Sr.  Seldin  [IIS86]  §16E,  since  there  U  is  called 
L.  Furthermore,  TAP  can  be  interpreted  in  this  system.  Nevertheless,  the  system  is  still 
not  as  strong  as  one  might  want,  since  oik-  might  wonder  why  not  allow  x  :  U  — >•  U  as 
the  discharged  assumption. 

In  Chapter  4,  we  shall  consider  the  theory  of  constructions,  introduced  by  Co- 
quand  [Coq85],  This  turns  out  to  be  the  best  available  system  of  this  kind.  (See 
Chapter  4  for  further  references.) 


l55S:§:s 


M'S©? 

H 

m 

Bi 


mm 

WM 


■f 


r&kkS 


I 

K 

s 


vs 

$ 

a.. 


mm 


iSL 

im 


.fetes*' 


Chapter  3 

CONSTRUCTIVE  LOGIC 

A  reader  who  has  read  this  far  is  now  in  a  position  to  understand  the  basic  rules  and  the 
inetatheory  of  the  theory  of  constructions.  However,  there  is  an  important  aspect  of  the 
theory  of  constructions  that  we  have  not  discussed;  it  has  to  do  not  with  the  underlying 
rules  but  rather  with  its  intended  interpretation.  This  interpretation  is  an  important 
part  of  the  motivation  Coquand  had  in  creating  the  system.  Some  readers  might,  find 
it  useful  to  consider  this  interpretation  before  proceeding  to  the  theory  of  constructions 
itself.  For  this  reason,  the  theory  of  constructions  will  be  postponed  to  Chapter  -1,  and 
in  this  chapter  we  will  consider  that  interpretation. 

The  interpretation  is  what  is  usually  known  as  the  Curry-Howard  isomorphism,  or 
formulas- as-ly pcs  idea.  The  essence  of  it  is  that  in  systems  of  type  assignment,  types 
can  be  thought  of  as  formulas  and  terms  as  proofs  or  deductions.  We  will  consider  this 
here  for  constructive  logic,  and  it  is  with  this  that  we  will  begin  (in  the  latter  part  of  this 
introduction).  In  Section  3.1 ,  we  take  up  a  simple  fragment  of  the  propositional  calculus 
for  constructive  logic  in  which  the  only  logical  connective  is  3  (if-then).  In  Section  3.2. 
we  explain  the  essentials  of  the  formulas-as-types  idea.  For  some  readers,  this  may  lie 
enough,  and  these  readers  are  invited  to  proceed  to  Chapter  4  after  completing  Section 
3.2. 

For  readers  who  want  more,  we  consider  in  Sections  3.3-3. 4  the  extension  of  these 
ideas  to  propositional  calculus  with  the  additional  connectives  A  (and),  V  (or),  and  -> 
(not).  Again,  many  readers  may  wish  to  proceed  to  Chapter  4  after  completing  Section 
3.1. 

lint  for  those  who  want  still  more,  we  consider  in  Sections  3. 5-3.fi  the  extension  of 
these  ideas  to  predicate  logic,  both  first,  order  logic  (Section  3.5)  and  higher  order  logic1 
(Section  3.6).  The  systems  TAJ  and  TAT  presented  in  these  sec  (ions  will  seem  strange 
to  some  people,  and  they  are  not  stric  tly  necessary  for  using  the  t  heory  of  construct  ions, 
but  they  do  give  some  useful  information  about  much  of  its  motivation  and  intended 
interpretation. 


Let  us  now  turn  our  attention  to  constructive  logic.  Most  people  who  have  heard 
of  constructive  logic  understand  that  it  has  something  to  do  with  existence  proofs.  But 
in  fact,  the  difference  between  classical  and  constructive  logic  involves  more  than  that. 
In  classical  logic  we  are  only  interested  in  whether  or  not  a  proposition  is  true.  In 
constructive  logic  we  are  interested  in  whether  or  not  a  proposition  hits  a  proof,  and  we 
do  not  want  to  assert  its  provability  without  having  access  to  a  proof. 

This  difference  can  be  illustrated  with  formulas  involving  implication.  A  formula 
A  D  B  is  classically  false  when  A  is  true  and  B  is  false;  it  is  true  for  all  other  combinations 
of  truth  values  for  A  and  B.  Note  that  its  truth  value  depends  only  on  the  truth  values 
i  of  A  and  £?;  how  these  truth  values  are  established  is  classically  irrelevant. 

I  In  constructive  logic,  implication  is  not  truth  functional;  the  truth  of  A  D  B  depends 

'  on  much  more  than  the  truth  values  of  A  and  B.  In  fact,  instead  of  specifying  when 

^  A  D  B  is  true,  we  need  to  specify  what  it  means  to  have  a  proof  of  AD  B.  The  standard 

|  constructive  specification  is  as  follows:  a  proof  of  A  D  B  is  a  function  [program]  which, 

given  any  proof  of  A  as  an  argument  [input],  produces  a  proof  of  B  as  a  value  [output], 
I  Truth  in  classical  logic  (at  least  propositional  logic)  can  be  defined  by  means  of  truth 


tables.  Ill  constructive  logic,  however,  we  really  need  to  introduce  a  kind  of  calculus  of 


3.1  The  D-calculus 

One  way  of  defining  a  system  of  formal  logic  that  seems  especially  suited  to  constructive 
logic  is  to  use  a  natural  deduction  system  of  the  kind  introduced  by  Jaskowski  [Jas34] 
and  Gentzen  [Gen34]  and  studied  extensively  by  Prawitz  [PraGS]  .  We  have  seen  the 
method  of  writing  rules  used  by  Gentzen  and  Prawitz  in  Section  2.1,  but  we  have  not 
really  discussed  natural  deduction  systems  as  such.  In  a  natural  deduction  system, 
each  logical  constant  is  characterized  by  two  rules,  one  for  introducing  it  and  one  for 
eliminating  it.  In  the  case  of  implication,  these  two  rules  are  as  follows: 

(Del  AD  B  A  (3i)  Ml 


ad  n 

Rule  (3  e)  is  also  known  as  modus  ponens,  and  rule  (3  i)  is  sometimes  called  the 
deduction  theorem. 

A  formal  calculus  of  propositional  logic  for  the  constructive  theory  of  D  can  be 
defined  as  follows: 

Definition  3.1  (3-formulas)  Assume  that  there  are  (finitely  or  countably  many) 
atomic  foimulas  hJ\,  /v>,  ...,  ....  Then  D-formulas,  or  formulas  are  defined  as 

follows: 

(a)  Every  atomic  formula  is  a  formula; 

(b)  If  A  and  B  are  formulas,  then  so  is  (A  D  li).  Unnecessary  parentheses  will  be 
omitted.  Furthermore, 

Ax  D  A-, . . .  An  D  It 
will  be  regarded  as  an  abbreviation  for 

Ax  D  ( A-i  D  (...(A„  D  B) ...)). 

Definition  3.2  (The  formal  calculus  NA (D))  The  formal  calculus  N  A (D)"is  a  nat¬ 
ural  deduction  system.  Its  formulas  are  3-formulas.  It  has  no  axioms;  its  rules  are  (3 
e)  and  (3  i)  given  above. 

Here  are.  some  examples  of  deductions  in  N  A(3),  given  in  table  form: 

Example  3.1  Hnacj)  d  3  /l 
Proof. 

I  A  Hyp  I 

2.  ADA  I  ( 3  e) 

2  lie-  name  N  A  (  3 )  moans  I  lac;  implication  fragment  of  NA.  More  the  "N”  stands  for  "natural  dedne- 
tion’’,  while  “A"  stands  for  "absolute”,  a  term  used  l>y  (lurry  [Curtsl]  to  stand  fur  eonstrucl ivo  logic 
withont  negation.  (Curry,  who  was  using  "N”  for  negation,  eaihsl  the  system  TA,  hut  here  this  would 
he  confused  with  "l>'|>e  assignment ”.  the  haler  "N”  was  used  in  this  way  hv  (leutzon  [(ion'll).) 
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Example  3.2  A  D  B  D  A 

Proof. 

1.  A 

2.  B  D  A 

3.  A  D  B  D  A 


Hyp 

1  pi) 

2  (3i) 


Example  3.3  (-NA(d)  (A  D  B  D  C)  D  (A  D  B)  j  A  D  C 

P  roof. 


1.  ADllDC 

Hyp 

1 

2.  A  D  B 

Hyp 

2 

3.  /I 

Hyp 

3 

4.  B  D  C 

1.3  (3e) 

1.3 

5.  B 

2.  3  p  e) 

2,3 

<5.  C 

4,S  (3e) 

1,2, 

7.  ilDf 

<5  (3  i) 

1.2 

8.  (/t  D  Zi)  D  2l  D  T 

7  (Di) 

1 

9.  (/I  D  /I  D  C)  D(AD  ll)D  AD<- 

implc  3.4  yl  D  B,  B  D  (■  I"nao)  A  D  C 

of. 

«  (3  i) 

1  AD  B 

Hyp 

1 

2.  BDC 

Hyp 

2 

3.  A 

Hyp 

3 

1.  B 

1,3  (Do) 

1,3 

r>.  r 

2.-1  (3  <•) 

1,2. 

6.  A  D  c 

•r»  (3  i) 

1,  2 

In  (rep  form,  tlu:  examples  are  as  follows: 
Example  3.1' 

I 

Ml 

A  J  A 

Example  3.2' 


-  (  )  i  v) 

H  )  A 

-  (  j  ,  |) 

A  )  II  )  1 
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(A  Dll)  DA  DC 
(A  D  B  D  C)  D  (A  D  II)  D  A  D  C 


Oi  l) 


Example  3.4' 


Hyp 

II  d  c; 


Hyp 

AD  II 

II 


(' 

A  D  (' 


O  i 


Ml 

-  (Dc) 

-  O  <‘) 


1) 


3.2  Formulas-as-  types 

If  Definition  3.1  is  compared  with  the  remarks  immediately  before  Definition  1.3  (in  Sec¬ 
tion  1 .2),  it  will  be  observed  that  the  3-formulas  are  isomorphic  to  the  type  symbols  used 
in  defining  the  basic  typed  A-terms;  each  atomic  formula  Ei  corresponds  to  an  atomic 
type  Oj,  and  if  A  and  H  correspond  to  a  and  fl  respectively,  then  A  3  B  corresponds  to 
a  —  /].  If  Definition  3.2  is  compared  witli  Definition  2.3,  it  should  be  clear  that  deduc¬ 
tions  in  NA(3)  are  isomorphic  to  deductions  in  TA.  Now  by  the  subject-construction 
theorem,  the  terms  in  deductions  in  TA  are  isomorphic  to  the  deductions.  Hence,  we 
can  think  of  TA  as  a  calculus  of  deductions  of  NA(3),  where  the  types  represent  the 
formulas  and  the  terms  represent  the  deductions.  If  we  make  use  of  Definition  2.3,  we 
can  use  basic  typed  A  -terms  to  represent  deductions  in  NA(3). 

This  correspondence  between  typed  A-calc.ulus  and  propositional  logic  was  first  no¬ 
ticed  by  Curry  in  [CF58]  Section  9K,  and  was  later  extended  independently  by  a  number 
of  people,  including  W.  A.  Howard  [HowfiO].  (For  more  references,  see  Hindley  &  Seldin 
[HSH6]  Discussion  1-4. -16.)  The  correspondence  is  usually  called  formulas-as-types  iso¬ 
morphism  or  the  Curry- Howard  isomorphism. 

As  we  noted  after  Definition  2.3,  a  /^-reduction  step  for  deductions  in  TA  is  similar 
to  the  3-reduction  step  of  Prawilz  [l‘ra(>5].  In  fact,  under  the  formulas-as-types  isomor¬ 
phism,  the  two  types  of  reduction  steps  correspond  exactly,  the  proof  of  Theorem  2.2 
(i.e.,  the  proof  of  Theorem  1.2)  together  with  the  isomorphism  proves  Prawitz’s  result 
for  NA(3),  namely  that  every  deduction  can  be  reduced  to  a  normal  form.  Here,  a 
normal  form  means  that  nowhere  in  the  deduction  is  the  conclusion  of  an  inference  by 
(3  i)  the  major  (left)  premise  for  an  inference  by  (3  e). 

This  isomorphism  can  also  be  used  to  show  that,  certain  formulas  are  not  provable 
in  NA(D).  Lot  us  consider  as  an  example  the  formula  known  as  Peirce’s  law: 

((A  3  II)  3  A)  3  A. 

It  is  not  hard  to  see  that  this  formula  is  classically  true,  for  it  is  only  necessary  to 
consider  what,  assignment  of  truth  values  could  make  it  false.  This  would  require  an 
assignment  that  makes  A  false  and  (.1  3  II)  3  A  true.  Now  if  A  is  false  and  (A  3  H) 
3  /I  is  true,  then  A  3  II  must  also  be  false,  but.  this  is  impossible  if  A  is  false.  Thus, 
Pence's  law  is  always  assigned  the  value  true  by  a  truth  table.  Nevertheless,  it.  is  not 
constructively  valid. 

Theorem  3.1  I'lic  formula  scliimi  ((,-1  3  II)  3  A)  3  A  is  not  provable  in  . 4(3). 

Proof  If  this  formula  were  provable,  it  would  be  the  conclusion  of  a  normal  deduction  in 
which  every  assumption  is  discharged.  Ily  the  formulas-as-types  isomorphism,  it  would 
follow  that  for  any  two  types  n  and  il,  there  is  a  closed  term  M  in  normal  form  such 
that 

h T,\  A/  :  ((«»  —  ll)  — .  o)  — .  <>. 

It  lollows  that.  A/  :  ((o  —  /I)  -o)  -o  is  the  conclusion  of  a  deduction  'P  in  normal 

form  Ily  the  subject-construct  ion  theorem,  M  must,  have  the  form  A r.N  for  some  term 


N  for  which  FV(7V)  C  {x},  and  V  must  have  the  form 


A x.N  :  ((« 


■  o)  o . 


Since  it  is  sufficient  to  prove  that  there  exist  types  o  and  p  for  which  this  is  impossible, 
there  is  no  loss  of  generality  in  assuming  that  a  is  atomic,  and  thus  that  there  is  no 
inference  by  (  — *•  i)  in  the  left  branch  of  T>t.  Since  the  only  undischarged  assumption 
in  T>i  is  x  :  (a  — »  P)  — *  a,  it  follows  that  this  assumption  occurs  at  the  top  of  the  left 
branch  of  T)\.  Hence,  V\  has  the  following  form,  where  N  is  xP: 

x  :  (a  ft 

Z>2 


►  • 


m- 


II 


3.3  Adding  A,V,  and  _L  (for  ->) 

Let  us  now  turn  to  the  full  propostional  calculus.  Jn  addition  to  3  (implication),  we 
need  A  (and),  V  (or),  and  ->  (not).  In  constructive  logic,  ->  is  usually  defined  in  terms 
of -L  (absurdity),  and  wc  shall  follow  this  practice  here. 

Definition  3.3  (Propositional  formulas)  Assume  that,  as  in  Definition  3.1,  we  have 

finitely  or  countably  many  given  atomic  formulas  E\ , . . . ,  A'n, _  Propositional  formulas 

are  then  defined  as  follows: 

(a)  a  given  atomic  formula  Ei  is  an  (atomic)  formula; 

(b)  -L  is  an  (atomic)  formula;  and 

(c)  if  A  and  B  are  formulas,  then  so  arc  (A  3  B),  ( A  A  B),  and  (A  V  B). 

Notation  Unnecessary  parentheses  will  be  omitted.  The  infixes  A  and  V  will  have 
smaller  scope  than  3-  The  abbreviation 


will  be  used  for 


AD±  . 


The  elimination  and  introduction  rules  postulated  for  A  and  V  are  as  follows: 


A  A  /I 


A  A  B 


MM 


A  A  B 


WOT 


A]  [//] 


A  V  B. 


Of  these  rules,  (Ve)  will  probably  look  least  familiar.  It  is  easy  to  understand  if  we 
think  of  proof  by  cases:  if  case  A  or  rase  li  holds,  and  if  C  can  be  proved  in  each  case, 
then  ('  must  be  provable. 
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The  elimination  and  introduction  rules  for  negation,  which  are  derived  from  those 
for  implication,  are  as  follows: 


’.i’. 


(-.e)  ->A 


("■')  M] 


There  is  one  additional  rule  used  with  negation:  it  is  as  follows: 

(-Lj)  -J- 


It  expresses  the  fact  that  anything  follows  from  a  contradiction,  a  fact  accepted  by  most 
constructivists.  (For  those  constructivists  who  do  not  accept  this  principle,  there  is  the 
minimal  calculus ,  which  is  the  system  NJ  without  this  rule.  We  will  not  bother  with  the 
minimal  calculus  here.) 

This  leads  us  to  the  following  definition: 

Definition  3.4  (The  formal  calculus  NJ)  The  formal  calculus  NJ  is  a  natural  de¬ 
duction  system.  Its  formulas  are  the  propositional  formulas  of  Definition  3.3.  It  has  no 
axioms.  Its  rules  arc  (3  e),  (3  i),  (Ac),  (Ai),  (Vo),  (vi),  and  (1  j). 

Remark  Many  people  may  be  surprised  that  rule  (-d)  is  constructively  valid,  since  it  is 
often  said  that  constructivists  object  to  proof  by  contradiction.  In  fact,  the  form  of  proof 
by  contradiction  to  which  constructivists  ob  ject  is  not  (— »i),  but  rather  the  following  rule: 

(1  d)  M] 


This  rule  is  not  valid  in  NJ;  in  lact,  if  it  is  added  to  NJ,  the  result  is  classical  logic. 

It  turns  out  that  it  is  possible  to  modify  Definition  3.4  somewhat: 

Lemma  3.1  //  rule  (J.  j)  is  postulated  in  the  form 


where  E  is  one  of  the  given  atomic  formulas,  then  the  rule  holds  in  its  full  generality  as 
a  di  nned  rule. 
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Proof  Since  the  case  of  the  rule  in  which  A  is  X  is  t  rivial,  it  is  sufficient  to  prove  the 
rule  for  compound  formulas  A  on  tin;  assumption  that  it  holds  for  shorter  formulas.  The 
three  cases  (note  that  ->  is  taken  care  of  by  the  case  for  3)  are  taken  care  of  by  the 
following  three  deductions: 


1 

IS 

AD  IS 


(i.i) 

O  i 


v) 


1 

—  (±j) 

A 

AMS 


(-U) 

(Ai) 


1 

A 

AW  IS 


(-L  j) 

(Vi) 


(IS 


3.4  Extension  of  forinulas-as-types 

In  order  to  extend  the  formulas-as- types  isomorphism  of  Section  2  to  NJ,  it  is  most 
natural  to  compare  A,  V,  and  1  to  x,  +,  and  void.  This  leads  us  to  consider  t he 
system  extended  TA  of  the  remark  at  the  end  of  Section  2.1.  But  this  system  does 
not  correspond  exactly  to  NJ.  Instead  it  corresponds  to  a  system  obtained  from  NJ  by 
replacing  the  rules  (Ac),  (Ai),  (Ve),  and  (Vi)  by  the  following  axiom  schemes: 

(1)  AjIJdAaB; 

(2)  A  A  B  3  A\ 

(3)  A  A  n  3  B; 

(4)  A  3  A  V  B\ 

(5)  B  3  A  V  B, 
and 

(6)  A  V  D  3  (A  DC)D(B  D  C)  DC. 

It  should  be  clear  that,  in  the  presence  of  the  rules  (3  e)  and  (3  i),  these  six  axiom 
schemes  are  equivalent  to  the  indicated  rules. 

Note  that  by  Lemma  3.1,  rule  (JL  j)  is  equivalent  to  the  scheme 

(7)  ±3/';, 

where  E  is  an  atomic  formula  distinct  from  1.  This  scheme  would  appear  not  to 
correspond  to  any  term  in  extended  'I'A,  since  such  a  term  would  have  to  be  assigned  the 
type  void  — »  0  for  an  atomic  type  0.  If  there  is  some  object  M  in  (  lie  type  0,  then  we  can 
apply  (  — ►  i)  with  vacuous  discharge  of  the  assumption  r  :  void  to  obtain  the  conclusion 
Xx.M  :  void  — >0.  But  we  cannot  guarantee  that  there  is  an  object  A/  to  which  0  is 
assigned  for  each  atomic,  type  0;  indeed,  if  there  were  such  a  term  for  each  atomic  type, 
this  would  correspond  to  the  provability  of  each  atomic  formula.  So  instead,  we  will  add 
to  extended  TA  a  constant  X*  for  each  atomic  type  0  distinct  from  void,  and  we  will 
assume  the  axiom 

(X J«)  X#:  void  —  0. 

Since  these  constants  X»  do  not  occur  at  the  beginning  of  any  redoxes,  (hey  do  not  alloc! 
the  normalization  result..  Hem.  ,  these  axioms  cannot  be  used  (o  produce  closed  terms 
in  any  of  the  0.  Furthermore,  by  the  proof  of  Lemma  3.1,  it  should  be  clear  that  for 
each  type  o  there  is  a  closed  term  X#  of  type  void  —  o. 

It.  is  not  dillic.ull  to  show  that  Theorem  3.1  and  Corollary  3.1.1  apply  to  NJ.  l  ie 
normalization  theorem  for  extended  TA  plus  the  constants  X#  and  axioms  (J.  j« )  can 
be  used  to  prove  that  NJ  is,  indeed,  diUcrent  from  classical  logic  in  one  or  its  most 
important  aspects. 

Theorem  3.2  For  at  leant  onr  foninila  A 

\/kj  A  V  -vl. 

Proof  Let  A  be  an  atomic,  formula.  Let  P  l>e  a  proof  (i.e.,  a  deduction  with  no  undis¬ 
charged  assumptions)  whose  conclusion  is  .1  V  ->X.  An  instance  of  axiom  scheme  pi) 
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A  V  -iA  3  (A  3  A)  3  ( ->A  3  A)  3  A. 

Using  th is,  T>,  Kxample  3.1,  and  two  inferences  l»y  (3  e),  we  get  a  proof  of 

(^A  3  A)  3  A, 

which  is,  wlnm  abbreviations  are  removed, 

((A  31)  3  A)  3  A. 

Since  both  /I  and  1  are  atomic  formulas,  this  is  improvable  by  Corollary  3.1.1. 


1  In*  rnlurlioii  and  iiomialr/.alion  pro«  edure  used  line  for  N.l,  which  is  based  on  extended  TA  plus 
(  J.  j»),  is  not  the  usual  normalization  procedure  for  N.l  in  proof  theory.  l*or  the  usual  procedure,  sir 
I  *i  aw  it  /  fl  *i  ati‘»J  <  ’haplei  |  V. 
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3.5  First  order  quantifiers 

It  is  standard  in  logic  to  proceed  from  propositional  logic  to  first  order  logic.  In  first 
order  logic,  universal  and  existential  quantifiers  are  present,  and  are  assumed  to  operate 
over  one  fundamental  domain  of  individuals;  it  is  not  possible  to  quantify  over  sets  of 
individuals  or  functions  whose  arguments  and  values  arc  individuals. 

To  take  an  example  from  elementary  arithmetic,  suppose  that  the  fundamental  do¬ 
main  is  the  set  of  natural  numbers,  and  suppose  that  our  language  has  terms  representing 
the  natural  numbers  and  also  addition  and  multiplication  (which,  for  now,  will  be  de¬ 
noted  by  their  usual  notation  in  algebra).  Suppose  also  that  formulas  include  equations 
between  expressions  denoting  numbers.  Then  a  formula  stating  that  x  is  an  even  number 
is 

(3y)(x  =  2,/), 

where  2  is  the  term  representing  the  number  2.  A  formula  stating  that  x  <  ;/  is 

(3u)(->u  =  0  A  y  ~  x  +  n), 

where  0  represents  the  number  0.  (Recall  that  in  the  set  of  natural  numbers,  there  are 
no  negative  numbers,  so  that  if  a  number  is  different  from  0  it  is  positive.)  A  formula 
which  says  that  x  divides  evenly  into  ;/  is 

(3 «)(->«  =  0  A  ;/  =  in). 

Finally,  a  formula  which  says  that  0  is  an  identity  for  addition  is 

(Vz)(j;  =  x  +  0). 

In  giving  these  examples,  I  assumed  that,  then'  is  a  term  representing  each  natural 
number.  In  fact,  such  terms  arc  easy  to  construct:  begin  with  an  individual  constant  0 
and  a  function  symbol  tr  with  one  argument.  Then  the  term  n  representing  the  nat  ural 
number  n  is 

.  .  (crO).  .)), 

where  there  are  n  occurrences  of  er. 

If  we  analyze  the  structure  of  the  formulas  in  these  examples,  we  see  that  we  have 

an  individual  constant  0,  individual  valuables  r,  y.  u . function  symbols  er  of  one 

argument  and  +  and  •  (multiplication)  of  two  arguments,  a  predicate  symbol  =  of  two 
arguments,  the  logical  connectives  of  propositional  logic,  and  the  universal  and  existen¬ 
tial  quantifiers.  This  leads  us  to  the  following  formal  definition: 

Definition  3.5  (First  order  term  and  formula)  Assume  that  we  have  countably 
many  individual  valuables  x,  y,  xt,  etc.,  finitely  or  countably  many  individual  ion- 

slants  c |,  c-j . finitely  or  countably  many  function  symbols  wi  .  ur> . and  finitely  or 

countably  many  predicate  symbols  ipt ,  <p-> . where  each  function  symbol  and  predi¬ 

cate  symbol  lias  associated  with  it  a  natural  number  called  its  deyne.  which  represents 
its  number  of  arguments.  Then  lerms  are  defined  as  follows: 
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(a)  individual  constants  and  individual  variables  arc  terms;  and 

(b)  if  u;  is  a  function  symbol  of  degree  m,  and  if  0, ... ,  t„,  are  terms,  then  u(t\, . . . ,  tm) 
is  a  term. 

First  order  formulas  are  now  defined  as  follows: 

(c)  if  is  a  predicate  symbol  of  degree  m  and  if  t, , . . . ,  <m  are  terms,  then  ip(t\ , . . . ,  tm) 
is  an  atomic  formula; 

(d)  _L  is  an  atomic  formula; 

(e)  if  A  and  II  are  formulas,  then  so  are  (A  A  II),  ( A  V  D),  and  ( A  D  /));  and 

(f)  if  A  is  a  formula  and  x  an  individual  variable,  then  (Vx)A  and  (3x)A  are  formulas. 
Parentheses  will  be  omitted  as  usual.  An  occurrence  of  an  individual  variable  is  said  to 
be  bound  if  it  is  within  the  scope  of  a  universal  or  existential  quantifier;  otherwise  it  is 
free. 

Notes  (1)  Both  function  symbols  and  predicate  symbols  may  have  degree  0.  A  function 
symbol  of  degree  0  is  just  an  individual  constant;  individual  constants  arc  listed  sepa¬ 
rately  because  it  is  customary  to  do  so.  A  predicate  symbol  of  degree  0  is  an  atomic 
formula.  One  example  of  such  an  atomic,  formula  is  JL. 

(2)  Here  _L  is,  in  efTect,  taken  to  be  a  predicate  symbol  of  degree  0.  But  this  is  not 
necessary  in  all  first  order  systems.  For  example,  in  first  order  arithmetic,  ±  is  often 
defined  to  be  the  atomic  formula  0  =  <r0,  which  is  0  =  1.  What  is  important  is  that  _L 
be  an  atomie  formula. 

Definition  3.G  (Tim  formal  cale.nlus  NJ*)  'fhe  formal  calculus  NJ*  is  a  natural  de¬ 
duction  system.  Its  formulas  are  the  first  order  formulas  of  Definition  3.5.  It  has  no 
axioms.  Its  rules  are  the  rules  of  NJ  and,  in  addition,  the  following: 


(Vo) 

(Va)yt(*) 

Condition:  l  is  a  term. 

Mi) 

(Vi) 

A(x) 

Condition:  r  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 

(V«MU) 

(3e) 

(-K.V)] 

Condition:  ?/  does  not  oc- 

(3x)A(x) 

(  ' 

cur  free  in  C  or  in  any 
undischarged  assumption. 

(' 


m 


,1(t) 


Condition:  I  is  a  term. 
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The  condition  on  the  variable  *  in  rule  (Vi)  guarantees  that  no  assumption  is  made 
about  x  above  the  inference.  Rule  (Be)  formalizes  the  argument:  there  is  an  x  such  that 
zl(x);  let  y  be  a  thing  such  that  A(j/);  conclusion  C  (where  y  does  not  occur  free  in 
C).  See  the  discussion  after  Definition  2.17.  The  condition  on  y  is  obviously  necessary 
for  this  rule.  Variables  such  as  x  in  (Vi)  and  »/  in  (Be)  are  called  ctgenvariablcs  or 
characteristic  variables. 

At  first  glance  it  might  appear  that  the  natural  way  to  extend  the  formulas-as-types 
isomorphism  to  NJ*  is  to  use  the  system  TAP.  Hut  this  will  not  work.  For  in  TAP,  only- 
types  (corresponding  to  formulas)  can  he  substituted  for  the  (type)  variables,  whereas 
in  NJ*  we  must  be  able  to  substitute  terms  for  the  quantified  variables.  Instead,  we 
will  need  to  take  a  type  to  represent  the  fundamental  domain  of  quantification,  and 
introduce  quantification  over  that  type.  We  will  also  need  to  modify  the  definition  of 
type  to  correspond  to  Definition  3.5. 

Thus,  suppose  one  of  the  atomic  types  is  J,  the  type  of  individuals.  For  each  atomic 
constant  e,  we  will  want  to  assume 

c  :  J. 

For  each  function  symbol  ui  of  degree  m,  we  will  want  to  assume 

w  :  J  — *  J  ...  J, 

where  there  are  in  +  1  occurrences  of  J.  Then  it  will  follow  for  each  closed  term  t  that 

/  :  J. 

Furthermore,  if  t  is  a  term  with  free  variables  . . . ,  then  it  will  follow  that 

X\  :  J, . . . ,  x„  :  J  I  /  :  J. 

Next.,  we  need  to  generalize  the  definition  of  atomic  type:  for  each  predicate  symbol  ^ 
of  degree  m,  and  for  any  terms  1 1 , . . . ,  l,„,  we  need  that  i^(t, , . . . ,  <m)  is  a  type.  We  also 
assume  void  is  an  atomic  type,  and  form  as  usual  types  o  x  fi.  n  +  /?,  and  o  —  i).  Also, 
we  need  that  if  j •  is  a  variable  and  o  is  a  type,  then  (Vj-  :  J)o  and  ( 3-r  :  J)o  are  types. 

It  remains  to  specify  the  terms  in  (Vj:  :  J)o  and  (;lx  :  J)o.  For  the  type  (Vj-  :  J)o. 
we  want  a  function  which,  when  applied  to  any  object  I  of  type  J,  produces  a  value  in 
\t/x\ o.  Note  that  as  in  TA(5  the  type  of  this  function  depends  on  its  argument  and  not 
just,  on  the  type  of  its  argument  For  (3x  :  J)o,  we  want  to  have  pairs  (/,  M)  such  that 
/  has  type  J  and  M  has  type  [</j-]o.  These  are  just  the  kind  of  pairs  we  were  unable 
to  represent  in  tin'  type  structures  of  Section  1.1.  We  shall  have  more  to  say  about  this 
later. 

The  above  convent  ions,  although  slated  as  in  previous  definitions,  can  also  be  ob¬ 
tained  by  using  the  machinery  of  TA  or  TA(1.  What  is  necessary  is  some  type  to  which 
the  above  types  belong,  such  as  the  type  U  of  Section  2,8.  Since  the  above  types  rep¬ 
resent  propositions,  this  new  type  will  be  called  Prop.  We  have  tin-  following  formal 
definition: 


T.t 
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a 
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Definition  3.7  (TAJ  types)  The  types  of  the  system  TAJ  are  defined  as  follows: 

(a)  J  and  Prop  are  (atomic)  types;  and 

(b)  if  a  and  /?  are  types,  then  so  is  («  — *  /if).  The  special  types  J"  and  Prop"  for  n  >  0 
are  defined  as  follows  (by  induction  on  n): 

J°  =  J,  J"+'  =J  — J"; 

Prop0  =  Prop,  Prop"+1  =  J  — ►  Prop". 

Definition  3.8  (TAJ  terms)  The  terms  of  TAJ  are  defined  from  countably  many  term 
variables  . . .  ,xn, . . . ,  and  the  term  constants  C) ,  e2, .  ■  ■ ,  Wi  . . . ,  <p\,<p2<  ■  ■  ■  < 

void,  D.  Dj,  fst,  snd,  ini,  inr,  case,  projj,  and,  X,  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M,  N,  A,  and  B  are  terms,  so  arc  (M N),(A  x  B),  (A  +  B),  and  (A  — >  B)\  and 

(c)  ifx  is  a  term  variable  and  A  and  M  are  terms,  then  (A x:A  .  M),  (Ax:J  .  M),  (Vx  :  i)A, 
and  (3x  :  J )A  are  terms.  With  each  constant  tv,  and  is  associated  a  natural  number 
dg(w,)  or  dg(<^>,),  called  the  deyre.e  of  the  constant  in  question. 

Definition  3.9  (Reduction  for  TAJ  terms)  Reduction  for  TAJ  terms  is  defined  by 
the  following  table  of  red  exes  and  contracta: 


Redox 


Contraction 


(/i)  (Ax  :  A.M)N  [N/x]M 

(fst)  telAB(DABM  K)  M 

(snd)  sndAB{DABM  N)  N 

(case:)  case  AB(\n\AB  M)(  /■' M 

(caseo)  cased /f(inr/Wf  M)CFC  CM 

(proj)  projj/lf '/(Dj/IA/Af )  ZMN 

Definition  3.10  (The  type  assignment  system  TAJ)  The  system  TAJ  is  a  natu¬ 
ral  deduction  system.  Its  formulas  are  all  expressions  of  the  form 

M  :  A, 

where  M  is  a  term  and  A  is  either  a  term  or  a  type.  The  axioms  are  as  follows: 

('  .)  f,  :  J, 

(w,)  :  J"\  m  =  dg(u>j). 

(r'i)  <fii  ■  Prop’",  m  —  dg(y>,). 
for  each  i  and 
(void)  void  :  Prop 
I  he  rules  of  TAJ  come  in  two  groups: 


y.v.v.v.v 


'  Mi" 


^irx7rx.inOTxir 


Rules  of  type  formation: 


(x  Formation) 

A  :  Prop 

B  :  Prop 

Ax  B 

:  Prop 

(+  Formation) 

A  :  Prop 

B  :  Prop 

A+B 

:  Prop 

(— *  Formation) 

A  ;  Prop 

B  :  Prop 

(VJ  Formation) 


(3JFormation) 


Rules  of  type  assignment: 
(xe),  M  :  A 


A—>B:  Prop 

[*  =  J] 

A  :  Prop 
(Va:  :  i)A  :  Prop 

[*  :  J] 

A  •  Prop 
(3a;  :  J)vt :  Prop 


(x  o)2 

(xi) 


Condition:  x  does  not 
occur  free  in  any  undis¬ 
charged  assumption. 


Condition:  x  does  not 

occur  free  in  any  undis¬ 
charged  assumption. 


M  :  A  x  B  A  :  Prop  II  :  Prop 
fit  ABM  :  A 

M  :  A  x  I)  A  :  Prop  B  :  Prop 
sod  ABM  :  B 

M  ;  A  N  :  B  A  :  Prop  B  ;  Prop 
DABMN  :  Ax  B 


rtVv<r\ 


HB&A1 

uSffiai! 


ronton 
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r-/ 

/-A/./ 

/■WV* 


(VJi) 


[x  '■  J] 

M  :  A 


Condition:  x  (loos  not 

o'fiir  free  in  any  undis¬ 
charged  assumption. 


A*:J  .  M  :  (V*  :  J)/t 


(BJc) 


[i  :  J][.v  :  A]  (j:  :  J] 

M  :  (3x  :  J  )A  N  :C  A  :  Prop  C  :  Prop 

projj(Ax:J  .  A)C( \x:i  .  At/:  A  .  N)M  :  C 

Condition:  x  and  y  do  not 
occur  free  in  C,  M,  or 
in  any  undischarged  assump¬ 
tions,  and  y  does  not  occur 
free  in  A. 


(3J.) 


[x  :  J\ 

M  :  J  N  :  [M /x)  A  A  :  Prop 

Dj(A*:J  .  A)MN  :  (3x  :  J)4 


Condition:  x  docs  not 

occur  free  in  M  or  N 
or  in  any  undischarged 
assumption. 


(=;) 


M  :  A 
N  :  A 


('audition:  N  is  obtained 
from  M  by  changes  of 
hound  variables. 


(="')  M:A 

M  :  li 


Condition:  H  is  obtained 
from  A  by  changes  of 
hound  variables. 


Notes  ( 1)  As  we  have  seen,  we  have  in  TA.I  functions  the  type  of  whose  values  depend 
on  the  arguments  as  well  as  the  types  of  the  arguments,  and  we  also  have  pairs  in  which 
the  type  of  the  second  element,  depends  on  the  first  element  as  well  ns  on  its  type  This 
means  that  the  type  structures  of  Section  l.l  are  not  models  of  TAJ  (just  as  they  are 
not  models  of  TAP).  It  is  possible'  to  construct  a  kind  of  semantics  for  TAJ  as  follows:  J 
is  interpreted  as  the  sot  of  all  closed  terms  of  N  J* ;  Prop  is  interpreted  as  the  set  of  closed 
formulas  of  NJ';  the  function  types  built  up  from  J  and  Prop  using  — *  are  interpreted 
using  terms  and  formulas  in  which  free  variables  occur;  and  terms  assigned  as  types 
terms  in  Prop  are  interpreted  as  deductions  or,  if  they  are  closed,  as  proofs.  Any  other 
model  for  TAJ  is  likely  to  be  too  complicated  to  provide  most,  people  with  any  insight. 

(2)  The  presence  of  Ajc:J  .  A  in  the  conclusion  of  rules  (3Je)  and  (3Ji)  may  seem  a 
bit  strange.  It  is  there  merely  to  supply  A  as  an  argument,  and  therefore  it  might  seem 


1 1 


iv, :.u 


more  appropriate  to  use  simply  A.  But  if  we  did  that,  then  x  would  occur  free  in  the 
conclusion  whenever  it  occurs  free  in  A,  which  is  contrary  to  the  spirit  of  the  system. 
The  only  obvious  alternative  is  to  postulate  Dj,*  and  Projj,^  for  eacli  formula  A,  but 
in  this  case  whether  or  not  a  term  Dj„»  is  defined  depends  on  whether  or  not  there 
is  a  deduction  whose  conclusion  is  A  :  Prop,  and  this  is  also  contrary  to  the  spirit  of 
the  system.  The  (proj)  contraction  of  Definition  3.9  shows  that  it  makes  no  difference 
whether  A  or  Ax:J  .  A  is  used  as  an  argument  here,  since  it  disappears  in  the  contraction. 

The  system  TAJ  contains  the  system  NJ*  in  an  important  sense,  for  we  can  easily 
write  A,  V,  D,  and  _L  instead  of  x,  4-,  — >,  and  void  (provided,  of  course,  that  the 
constant  ±  of  TAj  is  renamed).  The  system  NJ*  has  been  given  here  as  a  separate 
system  because  it  is  traditional  to  do  so.  However,  from  here  on,  systems  of  logic  will 
only  be  presented  with  the  systems  of  type  assignment  with  which  they  are  associated 
by  the  formulas-as-types  isomorphism. 
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3.6  The  full  theory  of  types 

An  examination  of  TAJ  raises  a  question:  why  quantify  only  over  the  type  J?  Why  not 
quantify  over  other  types,  such  as  Prop?  In  fact,  why  not  quantify  over  all  of  the  TAJ 
types  of  Definition  3.7?  There  is,  in  fact,  no  reason  at  all  for  not  quantifying  over  all 
TAJ  types,  and  a  logic  based  on  this  idea  was  proposed  as  long  ago  as  1910  by  Church 
[Chu40],  A  version  of  this  system  will  now  be  presented  as  a  system  of  type  assignment. 

Clearly  the  main  difference  between  TAJ  and  the  system  that  will  be  defined  here 
is  that  instead  of  only  ( Vx  :  J)  and  (3c  :  J),  we  will  now  have  (Vx  :  «)  and  (3c  :  o)  for 
every  TAJ  type  a.  It  should  be  clear  how  to  obtain  the  more  general  quantifier  rub's 
required  here  from  those  of  TAJ. 

However,  there  is  another  important  difference:  one  of  the  TAJ  types  is  Prop,  and 
since  we  can  quantify  over  Prop,  we  can  interpret  TAP  in  this  new  system.  This  means 
that  we  can  use  the  definitions  of  Section  2  A  to  reduce  the  number  of  primitives. 

The  new  system  will  be  called  TAT. 

The  types  of  TAT  will  be  those  of  TAJ  (Definition  3.7). 

Definition  3.11  (TAT  terms)  The  tains  of  TAT  are  defined  from  countably 

many  term  vanalbes  xj ,  Xg, . . . ,  x„, . . . ,  and  the  taw  constants  e  t ,  c» . wpwj,.,., 

<£) ,  •  •  • ,  as  follows: 

(a)  every  term  variable  and  term  constant  is  a  term; 

(b)  if  M  and  A,  are  terms,  so  are  (M N)  and  ( M  — *  N)\  and 

(<•)  if  x  is  a  term  variable,  A  and  M  are  terms,  and  n  is  a  type,  then  (A x:A  .  M). 
(Arm  .  M),  and  (Vx  :  A)  are  terms.  With  each  constant  uj,  and  ip,  is  associated  a  natu¬ 
ral  number  dg(w,)  or  dg(<p;),  called  the  degire  of  the  constant  in  question. 

Reduction  for  TAT  terms  is  defined  using  the  /J-redexes  of  Definit  ion  3.9. 

Definition  3.12  (The  tyjm  assignment  system  TAT)  The  system  TAT  is  a  natu¬ 
ral  deduction  system.  Its  formulas  are  all  expressions  of  the  form 

A/  :  A, 

where  M  is  a  term  and  A  is  either  a  term  or  a  type.  The  axioms  are  (rt),  (^,),  and 
tV'i)  from  Definition  3  10  for  each  i.  The  rules  of  type  formation  are  (  -  •  Format  ion)  of 
Definition  3.  If)  and 


(Vo  Formation)  [x  :  o] 

A  :  Prop 


(Vx  :  o)A  :  Prop 


Condition:  x  does  not 

occur  free  in  am  undis 
charged  assumption  and 
it  is  a  type 


I'lie  rails  of  type  assignment  are  (  -*  e),  (  —  i),  (  'J,  and  (-“/)  of  Definition  3  III  uni 


H-: 


v,  V 


rT. 


(Vui) 


l*  :  n\ 

M  :  A 


Ax:n  .  M  :  (V.r  :  a) A 


Condition:  x  does  not 

occur  free  in  any  undis¬ 
charged  assumption. 


Remark  As  in  TAJ,  the  type  structures  of  Section  1.1  are  not  models  of  TAT.  There 
are  models  of  the  original  (classical)  version  of  Church’s  type  theory  formed  by  inter¬ 
preting  J  as  any  set,  Prop  as  the  set  of  two  truth  values,  true  and  false,  and  interpreting 
compound  types  a  — <•  ft  as  the  set  of  all  functions  from  the  set  corresponding  to  a  to  the 
set  corresponding  to  f3.  But  these  models  are  not  models  of  TAT  because  they  do  not 
model  the  deductions.  Furthermore,  since  TAP  can  be  interpreted  in  TAT,  it  follows 
that  TAT  has  no  set  theoretic  models.  It  is  probably  best  to  adopt  the  procedure  we 
used  for  TAJ,  and  interpret  Prop  as  the  set  of  closed  formulas.  Because  we  now  have 
quantifiers  over  all  types,  this  idea  is  hard  to  make  precise,  and  so  is  unlikely  to  be 
accepted  as  the  basis  for  any  kind  of  theory  of  models.  Nevertheless,  the  idea  probably 
gives  most  people  more  insight  into  TAT  than  any  other  notion  of  semantics. 

Now  let  us  show  how  to  use  the  definitions  of  Section  2.4  to  define  the  other  terms  and 
operators  of  TAJ.  Some  changes  in  the  previous  definitions  will  be  necessary:  wherever 
we  previously  had  a  quantifier  (Va),  we  will  now  need  a  quantifier  (Vz  :  Prop),  and  where 
we  previously  used  the  abstraction  Aa,  we  will  now  need  Au  :  Prop.  Furthermore,  the 
existential  quantifier  will  need  somewhat  different  treatment,  since  we  now  expect  the 
elements  assigned  an  existential  type  will  be  pairs.  In  addition,  it  is  now  possible  to 
quantify  over  the  parameters  that  stood  for  type  schemes  in  TAP  and  now  stand  for 
terms  of  type  Prop.  For  this  reason,  it  is  worth  stating  these  definitions  again  for  this 
system. 

Definition  3.13  (Cartesian  product  proposition)  The  product  type  operator  and 
its  associated  pairing  and  projection  operators  are  defined  as  follows: 

(a)  X  =  Ait  Prop  .  AreProp  (Vie  :  Prop)((u  — *  r>  — »  w)  — »  w); 

(b)  D  =  AreProp  AieProp  A /:«  .  Ay.r  .  At/cProp  .  A z:u  — >  v  — *  te  .  zxy\ 

(<  )  fst  =  AieProp  .  A Prop  .  Ar.Xun  xu(\y:u  Az:v  .  »/);  and 

(d)  snd  =  An: Prop  .  An. Prop  .  Ax.Xtiv  .  xv(Ay:u  .  A z:v  .  z\ 

We  use  A  x  H  as  an  abbreviation  for  XAIi. 


It  is  not  at  all  difficult  to  prove  from  these  definitions  that  if  A  :  Prop  and  H  :  Prop 


It  not  hard  to  show  that  rules  (Bo-Formation),  (3oc)  and  (3»i)  corresponding  to  the 
rules  for  3J  in  Definition  3.10  are  satisfied.  If  is  also  easy  to  show  that 

Pr°}a,pCZ(Da  pM N)  =.  '/MN. 

Note  that  in  Definition  3.16,  there  is  no  way  to  avoid  the  use  of  the  parameters;  for 
types  are  completely  distinct  from  terms,  and  there  may  be  a  free  variable  in  B  which 
is  bound  in  the  definitions. 

Remark  It  is  worth  comparing  proj((  p  with  project^  of  Definition  2.17.  For  the  same 
reason  that  the  latter  could  not  be  made  a  true  projection  function,  the  former  cannot 
be  used  to  define  a  true  right  projection  for  use  with  rule  (3o-e).  There  is  no  problem 
with  the  left  projection:  take  C  =  a  and  take  Z  =  A x:a  .  Xy:B  .  x,  and  observe  that 
this  satisfies  the  condition  on  rule  (3oe),  which  becomes  in  this  case  that  x  and  y  do 
not  occur  free  in  C  or  in  Da  pM N  and  y  does  not  occur  free  in  B.  On  the  other  hand, 
for  the  right  projection,  we  need  to  take  Z  =  A x:o  .  Xy :B  .  B,  and  this  requires  C  =  B, 
in  which  x  may  occur  free.  Being  able  to  use  a  right  projection  with  rule  (3ore)  would 
correspond  to  allowing  an  inference  in  NJ*  from  (3x)/l(x)  to  A(tA)  for  some  term  tA, 
and  making  inferences  like  this  work  for  natural  deduction  formulations  of  first  order  or 
higher  order  logic  is  notoriously  difficult. 


Chapter  4 

THE  THEORY  OF 
CONSTRUCTIONS 

We  have  now  seen  quite  a  few  systems  of  type  assignment  to  A-terms.  As  we  said  in 
the  introduction,  these  systems  are  important  for  us  because  they  are  the  basis  for  the 
system  which  really  interests  us,  the  theory  of  constructions.  This  is  an  extension  of 
TAGU  and  TAT  introduced  by  Coquand  [Coq85]  and  studied  further  in  [C1I86],  [CI1], 
[Coq86a],  [Coq86b],  and  [Coq].  We  have  already  seen  that  TAT  is  an  extension  of  TAP; 
the  theory  of  constructions,  as  an  extension  of  TAT,  is  also  an  extension  of  TAP.  It  is  also 
an  extension  of  the  important  part  of  the  type  theory  introduced  by  Martin-Lof  [Mar75], 
[Mar82],  and  [MarSd]1.  This  chapter  will  he  devoted  to  the  theory  of  constructions. 

The  proofs  in  this  chapter  will  be  given  in  more  detail  than  in  previous  chapters. 
This  is  because  the  system  is  new  and  some  of  the  proofs  are  difficult.  In  fact,  Martin- 
Lof  [Mar71]  1  presented  a  proof  of  normalization  for  a  system  which  was  later  shown 
not  to  be  normalizable-1.  For  this  reason,  the  important  proofs  in  this  chapter  need  to 
be  checked  carefully,  and  so  they  will  be  presented  ill  considerable  detail. 
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4.1  The  theory  of  constructions:  natural  deduction 
formulation. 

The  theory  of  constructions,  or  TAC,  combines  the  kind  of  generalized  type  assignment 
of  systems  sucli  as  TAG  and  TAG 1 1  with  the  formulas  as  types  isomorphism  used  in 
defining  TAT. 

As  we  remarked  at  the  end  of  Section  2.8,  one  of  the  weaknesses  we  want  to  eliminate 
in  this  system  is  the  fact  that  in  TAGU  we  cannot  quantify  over  compound  types  built 
up  from  Prop.  For  this  reason,  as  in  TAT,  we  need  a  notion  of  type.  Hut  unlike  TAP,  we 
cannot  define  the  types  as  a  fixed  set  of  terms.  Instead,  we  need  to  indicate  the  types 
by  the  rules  of  the  system.  Thus,  in  addition  to  formulas  of  the  form  M  :  A,  we  need 
formulas  of  the  form 

A  :  Type 

The  types  are  then  specified  by  the  deductive  rules  of  the  system. 

Definition  4.1  (TAC  terms)  The  teims  of  TAG  arc  the  terms  of  TAGU  (Defini¬ 
tion  2.23),  where  U  is  denoted  by  Prop,  except  that  there  is  a  new  constant,  Type. 

The  original  intention  was  that  Type  would  not  be  part  of  any  compound  type. 
However,  it  has  since  turned  out  that  it  is  convenient  to  have  Type  occurring  as  a 
certain  part  of  certain  compound  types,  as  we  shall  see  below. 

Definition  4.2  (The  type  assignment  system  TAC)  The  system  TAC  is  a  natural 
deduction  system.  Its  formulas  are  of  the  form 

M  :  A , 

where  M  and  A  are  terms.  There  is  one  axiom: 


Prop  :  Type. 


The  rules  are  as  follows: 


llules  of  type  formation: 


( PP  Formation) 


A  :  Prop 


II  :  Prop 


(TP  Format  ion) 


( Vj'  :  A) II  :  Prop 

[r  :  A) 

A  :  Type  II  :  Prop 

(Vj-  A)  II  Prop 


Condition:  j •  dot's  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 


Condition:  j-  does  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 
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(PT  Formation) 


A  :  Prop 


[x  :  A] 
B  :  Type 


Condition:  x  does  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 


(Vx  :  A)B  :  Type 


(TT  Formation) 


A  :  Type 


(x  :  A] 
B  :  Type 


Condition:  x  does  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 


(Vx  :  A)B  :  Type 


(Eq'P) 


A  :  Prop  A  =.  B 

B  :  Prop 


(Eq'T) 


A  :  Type  A  B 
B  :  Type 


Rules  of  type  assignment: 


M  :  (Vx  :  A)B  N  :  yt 

MN  :  [N/x\B 


[x  :  A) 


M  :  B 


A  :  Prop 


Condition:  x  does  not  oc¬ 
cur  free  in  A  or  in  any 
undischarged  assumption. 


Ax: /l  .  M  :  (Vx  :  y\)B 


[x  :  A) 


M  :  B 


A  :  Type 


Condition:  r  does  not  oc¬ 
cur  free  ui  A  or  in  any 
undischarged  assumption 


Ax: /I  .  M  :  (Vx  :  A)B 


M  :  A  A  =.  B 


M  :  B 


M  :  A 


Condition:  A  is  obtained 
from  M  hy  changes  of 
hound  variables 


(Note  that  several  rules  listed  earlier  are  listed  here  in  full:  since  this  system  is  tie 
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main  subject  of  this  work,  it  was  foil,  to  ho  important  to  make  this  definition  relatively 
self-contained.) 

It  is  possible  to  state  the  rules  of  this  system  in  a  more  compact  form.  To  do  this, 
we  define  the  kinds  to  be  the  two  terms  Prop  and  Type.  Then  if  we  let  #c  and  n'  be  any 
two  kinds,  the  rules  of  type  formation  can  be  stated  as  follows: 

(kk1  Formation)  [a:  :  A]  Condition:  x  does  not  oc- 

/I  :  «  H  :  ,c'  cur  froc  ln  A  or  a,,y 

_  undischarged  assumption. 

(Vx  :  A) If  :  k.' 

(Eq'ie)  /  :  K  A  =.  H 

li  :  k 


r 

> 


i 


I 
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F’urthermore,  the  rules  for  (Vo  i)  can  be  combined  as  follows: 
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4.2  The  basic  metatheory  of  the  theory  of  construc¬ 
tions 

Theorem  2.7  can  be  extended  to  TACT: 

Theorem  4.1  Every  deduction  in  TAC  can  be  transformed  into  a  deduction  with  the 
same  undischarged  assumptions  and  conclusion  in  which  each  inference  by  any  of  the 
rules  (Eq")  and  (Eq'rc)  occurs  just  above  the  major  (left)  premise  for  an  inference  by 
(Ve)  (in  which  case  it  is  an  inference  by  rule  (Eq"))  or  just  above  the  minor  (right) 
premise  for  an  inference  by  (V«i)  (in  which  case  it  is  an  inference  by  rule  (Eq'/c))  or 
just  above  the  conclusion ,4 

Proof  Similar  to  the  proof  of  Theorem  2.7.  The  definitions  of  independent  sukdeduction 
and  dependent  subdeduction  will  be  obtained  from  those  of  the  proof  of  Theorem  2.7 
with  U  replaced  by  any  kind  n.  In  addition  to  transformations  II  and  III  from  the  proof  of 
Theorem  2.5,  we  need  the  following  transformations  (corresponding  to  transformations 
IV-VI  of  the  proof  of  Theorem  2.7): 


(Eq'K) 


(Vx  :  A)H  :  k' 


[x  :  ,1) 

Vt(r) 


(k«c' Formation  1) 


['  ■  <’) 


(Vx  :C)fi  :k‘ 

(Vx  :  A)H:  «' 
Vs 


(KK'Eorination  I) 


(EqV) 


Ml  ere,  just  aim vc  the  conclusion  means  what  it  did  in  Theorem  2.7,  and  I  here  may  he  i  w« ■  such 
iiifcrcnecH,  one  hy  rule  (K«|‘k)  «*nd  lln*  next  one  hy  rule  (lvjM). 
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'&■*>> 
KTjJO*.  K 

>xsy*>v 

v.v.t; 
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[x  :  >1] 

2?,(x)  Vo 

M  :  C  A:  n 

Xx:A  .  M  :  (Vx  :  A)C 

Xx-.A  .  M  :  (Vx  :  A)B 


(Vrci -  1) 


From  now  on,  we  shall  assume  without  further  comment  that  the  transformation 
given  by  Theorem  4.1  has  been  carried  out  in  any  deduction.  In  some  cases,  when  de¬ 
ductions  are  put  together,  inferences  by  equality  rules  will  be  indicated  at  places  other 
than  those  specified  by  the  theorem;  this  will  mean  the  deduction  obtained  from  the  one 
shown  by  carrying  out  the  transformation  given  by  Theorem  4.1. 

TAC  is  clearly  an  extension  of  the  system  TAG  U ,  i.e.,  of  the  system  TAG  I,  of  Hind  Icy 
fc  Seldin  [HS86]  Section  16E.  This  means  that  TAP  can  be  interpreted  in  it. 

Theorem  4.2  TAP  can  be  interpreted  in  TAC. 

Proof  See  Hindley  ic  Seldin  [1IS8G]  Theorem  1G.66.  ■ 

Now  let  us  turn  to  the  general  theory  of  TAC.  The  first  result  we  have  is  that 
Type  and  Prop  control  terms  which  can  occur  as  “types”  the  way  we  expect  them  to. 
To  see  this,  we  need  first  to  consider  the  conditions  under  which  assumptions  may  be 
discharged.  For  each  rule  that  discharges  an  assumption  of  the  form  x  :  A,  there  is  the 
independent  subdeduction,  the  conclusion  of  which  is  either  A  :  Prop  or  A  :  Type.  This 
fact  and  the  conditions  on  the  occurrences  of  the  variables  of  discharged  assumpt  ions 
imply  that  assumptions  must  be  discharged  in  a  certain  order.  Thus,  instead  of  sets  of 
assumptions,  we  are  really  interested  in  sequences  of  assumptions.  Now  suppose  that 
we  are  given  a  sequence  of  assumptions  of  the  form 

x,  :  At,  x2  :  A2l  ....  xn  :  An 

Suppose  that  the  assumption  that  we  wish  to  discharge  is  always  the  last,  of  the  sequence. 
Under  what  conditions  can  the  last  assumption  be  discharged?  And  more  generally, 
under  what  conditions  is  it  always  possible  to  discharge  the  last  assumption  of  any 
initial  segment  of  this  sequence?  It  is  not  difficult  to  see  that  the  conditions  are  those 
of  the  following  definition: 
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Definition  4.3  ((Well- formed)  environments)  A  (well-formed)  environment  is  a 
sequence  of  assumptions 

xi  :  A | ,  J  o  :  A2,  ■  •  x„  :  An  (4.1) 

such  that,  for  i  =  1,2 . n  —  1,  the  following  two  properties  hold: 

(a)  Xi  does  not  occur  free  in  A\ ,  A?, . . . ,  A{  (but  may  occur  free  in  1 , . . . ,  An)\  and 

(b)  either 

x \  :  /l|,xo  :  A-,,  ■  ■ . ,  x,  :  Ai  Ptao  A,+  i  :  Prop 
or 

X)  :  /li.xo  :  A2,...,Xi  :  At  Ptac  i4<+i  :  Type. 

We  can  now  see  that  the  terms  which  can  be  proved  to  be  in  Type  are  really  quite 
limited. 


Theorem  4.3  If 


l  bTAO  A  :  Type, 


for  any  set  of  assumptions  1',  then  for  some  n  >  0  and  for  some  terms  A\,  Ai,  . . . ,  An, 
and  for  a  sequence  of  pairwise  distinct  variables  xt ,  x2,  . rn, 

,1  (Vjp,  :  Ax  )(Vx2  :  A,) . . .  (Vx„  :  /4n)Prop. 

Proof  This  follows  immediately  from  the  fact  that  any  formula  of  the  form  A  :  Type  can 
occur  only  as  the  aviom  (P  T)  or  ;ls  the  conclusion  of  one  of  the  rules  (/tT  Formation) 
or(Eq'T).  ■ 

Definition  4.4  (Context)  A  context  is  a  term  A  satisfying  the  conclusion  of  Theo¬ 
rem  4.3.  If  A  is  a  context,  and  if  the  conclusion  of  Theorem  4.3  is  that  A  is  convertible 
to 

(Vx,  :  Ax  )(Vx  >  :  ,1 ,) .  . .  (Vx„  :  /1„)Prop,  (4.2) 

then  4.2  is  called  a  standard  form  of  A,  n  is  called  the  index  of  the  standard  form,  and 
/4],  /12,  ....  A„  are  called  its  prejir  types. 

It  is  easy  to  see  (by  the  Church-Rosser  theorem)  that  two  standard  forms  can  be 
standard  forms  of  the  same  context  if  and  only  if  they  have  the  same  index  and  cor¬ 
responding  prefix  types  are  convertible.  This  means  that  we  can  speak  of  the  index  of 
a  context ,  and  if  we  are  willing  to  consider  equivalence  classes  or  convertible  terms,  we 
can  speak  of  the  prejir  types  of  a  context  It  is  also  easy  to  see  that  any  context  can  be 
reduced  to  one  of  its  standard  forms. 

Contexts  have  a  clear  meaning:  each  context  is  the  type  of  propositional  functions 
of  a  certain  number  of  arguments  over  certain  terms  as  “types”.  Obviously,  contexts  are 
really  useful  only  when  the  prefix  types  are  either  in  Prop  or  in  Type.  For  this  reason, 
we  would  like  to  know  which  contexts  can  lie  shown  (perhaps  using  assumptions)  to  be 
in  lype,  i.e.,  we  want  as  general  as  possible  a  partial  converse  to  Theorem  4.3 
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Definition  4.5  (Well- formed  context)  A  context  is  said  to  he  well-formed  if  and 
only  if  it  has  a  standard  form  (4.2)  such  that  the  corresponding  sequence  of  assumpt  ions 
(4.1)  is  a  well-formed  environment. 

It  is  easy  to  show  the  following  result: 

Theorem  4.4  If  A  is  a  well-formed  context,  then 

I-Tac  A  ■  Prop.5 

We  would  like  to  show  that  a  context  cannot  lie  assigned  a  type  other  than  Type.  To 
do  this,  we  need  to  consider  places  that  Type  can  occur  in  a  deduction.  It  may  appear 
that  it  occurs  only  on  the  right  of  the  colon  and  then  only  alone.  But  this  is  not  the 
case,  for  consider  the  following  example: 


Prop  :  Type  Prop  :  Type 

Ax:Prop  .  Prop  :  (Vx  :  Prop)Type 


(VTi  -  v) 


What  we  can  prove  about  occurrences  of  Type  requires  a  definition: 

Definition  4.G  (Supercontext)  A  term  A  is  a  supercontext  if 

A  =.  (Vx,  :  A\) . . .  (Vx„  :  A„)Type 

where  (Vx(  :  A i) . . .  (Vxn  :  A„)Prop  is  a  well-formed  context.  Here,  (Vx)  :  A\) . . .  (Vj  „  : 
A„)Type  is  called  a  standard  form  of  A,  n  is  called  the  index  of  the  standard  form,  and 
A  j ,  At,  . . . ,  An  are  called  its  prefix  types. 

The  remarks  after  Definition  4.4  about  the  standard  forms  of  contexts  apply  equally 
to  those  of  supercontexts. 

The  result  we  want  is  now  as  follows: 

Theorem  4.5  (a)  If  V  is  a  well- formed  environment  and  if 

T  N'AC  M  ■  A, 

then  M  reduces  to  a  term  m  which  there  is  no  oernrirnrt  of  Type. 

(i.)  jjr  is  a  well- fanned  environment  and  if 

T  P'i'Ac  M  :  A, 

and  if  there  is  an  occurrence  of  type  in  every  term  to  which  A  reduces,  then  A  is  a 
supereonlext. 

It  is,  in  fai  t,  easy  to  slmigtlirn  Theorem  ‘l.:i  to  show  that  if  h-pae  A  :  Type  thru  A  is  a  wrll  formecl 
rolltrxt. 
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Proof  (a)  Hy  induct  ion  on  the  deduction  of 

1'  Ptac  M  :  A. 

(Note  that  the  type  of  each  variable  in  a  well-forined  environment  satislies  the  conditions 
of  the  lemma.)  In  the  cases  for  rules  (F.q's),  the  conclusion  follows  via  the  Church-Rosser 
theorem  and  the  fact  that  no  reduction  can  introduce  an  occurrence  of  Type  into  a  term. 
The  remaining  cases  are  easy. 

(b)  Hy  induction  on  the  deduction  of 

I'  h-i-AC  M  ■  A. 

The  only  difficult  case  is  rule  (Ve);  in  this  case,  suppose  that  the  inference  is 

M  :  (Vx  :  B)C  N  :  B 
MN  :  [N/x]C 

If  there  is  an  occurrence  of  Type  in  every  term  to  which  [N/x]C  reduces,  then  by  (a) 
there  is  an  occurrence  of  Type  in  every  term  to  which  N  reduces  and  hence  also  in  every 
term  to  which  C  reduces.  Hence,  there  is  an  occurrence  of  T^pe  in  every  term  to  which 
(Va-  :  B)C  reduces.  Thus,  by  the  induction  hypothesis  (on  the  left  premise),  (Vx  :  B)C 
is  a  supercontext.  It  follows  that  C  and  hence  also  [N jx\C  are  also  supercontexts.  ■ 

Define  an  occurrence  of  a  subterm  A  of  a  term  M  to  be  tin-  type  of  a  bound  variable 
if  /I  is  the  indicated  part  of  a  subterm  of  the  form  \x\A  .  N  or  (Vx  :  A)B. 

Theorem  4.G  Let  1'  be  a  well- fanned  environment,  and  suppose 

I'  P TAG  Af  :  A, 

inhere  A  is  not  a  supereontext.  Then  M  =.  N  for  some  term  N  in  which  every  occurrence 
of  the  atomic  term  Prop  is  inside  the  type  of  a  bound  variable.7 

Proof  Hy  induction  on  the  deduction  of  1'  Ptao  M  :  A.  M 

Corollary  4.G.1  If  I'  is  a  well-formed  environment .  and  if 

1'  Ptac  A/  :  A, 

where  .4  is  not  a  supereontext,  then  M  is  not  a  eon  text. 

Since  it  is  not,  in  gfiHTril,  deridahle  whittlin'  or  not  there  is  an  occurrence  of  Type  in  every  term 
to  which  a  fpven  term  reduces,  it  may  appear  that  this  theorem  involves  a  nonconstmct ive  use  of  the 
law  ,,f  exclude! I  middle.  Hut  in  fact,  all  that  is  really  needed  for  part  ( I >)  is  that.  it.  is  not  possible  to 
determine  from  the  deduetion  that  there  is  a  reduction  from  the  term  to  a  term  in  which  Type  does  not 
""'if,  and  this  can  he  coils!  met  ively  determined. 

I  he  condition  of  the  theorem  that  A  is  not  a  supereontext  is  not  constructively  decidahle.  Ilnwever, 
all  1  hat  is  really  necessary  for  the  t lieornn  is  t  hat  it  not  Im*  possible  t  o  read  fr« >m  t  lie  deduct  ion  in  (juesi  ion 
<  I*. i »  I  is  siipercoiil e\t .  and  t  his  «  an  he  const  i  u<  I  ively  determined. 
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Corollary  4.6.2  If  P  is  a  well-formed  environment,  and  if 


I'  Htac  Af  :  k  and  1’  ("ta<'  A/  : 


then  k  =  k'. 


Proof  Otherwise,  we  have  T  I~tac  M  :  Prop  ami  I’  h-pAC  M  :  Type,  from  which  we 
get  by  Theorem  4.3  that  M  is  a  context  ami  from  Corollary  4.6.1  that  it  is  not  a  context. 


It  is  not  hard  to  generalize  Theorem  4.3  to  the  following: 


Theorem  4. 7  If 


T  Ptac  A  '■  R> 


where  D  is  a  supercontext,  then 


A  =,  Azi:  A\  .  Ax2:  :  A2  .  ...  Axm:  :  Am  .  A1, 


where  A'  is  a  context. 


Definition  4.7  (Context  Function)  A  term  A  satisfying  the  conclusion  of  Theo¬ 
rem  4.7  is  called  a  context  function.  If  A'  is  a  standard  form,  then  the  form  on  the 
right  of  4.3  is  called  a  standard  form  of  A,  and  its  index  is  m  plus  the  index  of  A' .  All 
of  the  remarks  and  conventions  regarding  standard  forms  and  indices  of  contexts  apply 
to  those  of  context  functions. 


Now  let  us  consider  the  subject-reduction  theorem  (Theorem  2.1)  .  In  order  to 
prove  it,  we  need  a  replacement  theorem  corresponding  to  Lemma  2.1.  Lemma  2.1  is 
slated  in  terms  of  the  subject-construction  theorem,  which  is  much  more  complicated 
to  state  for  TAG  than  it  is  for  TA,  but  the  part  of  the  lemma  corresponding  to  the 
subject-construction  theorem  is  not  needed  for  the  subject-reduction  theorem.  Another 
complication  arises  from  the  fact  that  changes  in  a  term  to  which  a  type  is  assigned  may 
be  reflected  later  in  a  deduction  in  the  types  themselves.  However,  in  the  case  of  the 
replacement  lemma  needed  for  the  subject-reduction  theorem,  a  term  is  replaced  by  a 
convertible  term,  so  by  rule  (Eq"),  the  later  types  need  not  be  changed.  (See  Hindlcy 
Seldin  [IIS86]  Lemma  16.39.)  It  is  sufficient  to  have  the  following  result  (which  is  called 
a  theorem  because  it  is  more  substantial  than  Lemma  2.1): 


Theorem  4.8  (Replacement)  Let  Pi  be  any  well-formed  environment ,  and  let  P  be 
a  deduction  of 

Pi  Ptac  M  :  /!• 


I, el  V  :  C  be  any  statement  in  P,  let  V\  be  that  part  of  V  ending  in  V'  :  C,  let  P> 
be  the  rest  of  V,  and  let  Xj  :  II  |,  x2  :  H->.  ...,  x„  :  //„  be  the  assumptions  of  P\  that 
are  discharged  in  TV  Let  IV  be  a  term  such  that  IV  =.  V  and  FV(1V)  C  FV(V).  and 
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suppose  that  r2  is  a  well-formed  environment  in  which  x\,  x2,  . . . ,  xn  do  not  occur  free. 
Suppose  that  V3  is  a  deduction  of 

r2,x,  :  Bu...,xn  :  B„  Htac  W  :  C. 

Then  replacing  V\  by  Vi  in  V  results  in  a  deduction  V 4  of 

ri ,  r2  t~TAc  :  a, 

where  M *  is  obtained  from  M  by  replacing  appropriate  occurrences  ofV  by  W. s 

Proof  By  induction  on  the  structure  of  X>2. 

Basis:  There  are  two  cases. 

Case  1.  Vi  consists  of  the  single  statement  V  :  C.  Then  M  is  V ,  M *  is  W,  and  V ,, 
is  just  V: 

Case  S.  Vi  consists  only  of  the  axiom  (P  T).  Then  the  replacement  is  vacuous, 
\V  =  V  =  Prop,  and  V4  consists  only  of  the  axiom  (P  T). 

Induction  step:  We  have  the  following  cases  depending  on  the  last  inference  in  P2. 
Case  /.  The  last  inference  of  Vi  is  ( kk '  Formation). Then  A  is  M  is  (Vx  :  B)l£, 
and  V  is 

1 

[r-m 

Vs  V6(x) 

B  :  k  E  :  k' 

-  (kk' Format  ion  1) 

(Vx  :  B)E  : 

where  the  occurrence  of  V  :  C  is  either  in  Vs  or  in  ZV,(x).  By  the  induction  hypothesis, 
the  replacement  of  V\  by  Vi  in  Vs  and  V,-, (x)  leads  to  deductions  Vi  and  T>s(x)  of, 
respectively, 

I’l .  I  2  h-|'A< '  '■  K 

and 

r,,r2,x  :  B  l-TAO  E’  :  k' 

6It  is  rtiflirull  to  describe  exactly  the  replacements  which  are  required  to  obtain  M*  from  M,  but  it 
is  possible  to  read  the  replacement  process  from  the  proof.  It  is  worth  noting  that  the  pai  l  of  P4  which 
is  not  included  in  P3  has  exacllythe  same  inference  rules  in  the  same  relative  positions  as  T>-j  except 
perhaps  for  some  inferences  by  (Ivj  k),  (K<|"),  or  (=^). 


for  appropriate  IV  and  K* .  Since  V  =,  W ,  /<*  li,  and  so  P4  is  as  follows: 


V7 

rv  :  k 

-  (Kq'/c) 

H  :  k 


i 

k  :  »] 
*>-(*) 
/•;*  :  k' 


(V*  :  «)/•;*  : 


(k#c' For  mat  ion  1) 


Case  2.  The  last  inference  of  V  is  by  ( Eq'n).  Then  A  is  k.  and  V  is 


2>s 

N  :  k 

-  <K«,'«) 

M  :  k, 

where  N  =.  M .  Hy  the  induction  hypothesis,  the  replacement  of  V\  by  V3  in  V 5  leads 
to  a  deduction  Pr,  of 

l'i ,  l'j  i~TA<*  Nm  :  k 

for  an  appropriate  jV* .  Since  N‘  =.  N  =.  A/,  we  can  take  M *  =  M ,  and  then  T>i  is 
obtained  from  Pc,  by  an  inference  by  (Eq'n). 

Case  3.  'I’lie  last  inference  of  P  is  by  (Ve).  Then  M  is  M\M?,  A  is  [ Mn/x]A and  V 


Case  4-  The  last  inference  of  T>  is  by  (V#ci).  Then  A  is  (Vx  :  B)E,  M  is  Ax  :  B  .  N , 
and  P  is 


[x  :  B] 


-  (V«i  1) 

Ax:B  .  N  :  (Vx  :  B)E. 

By  the  induction  hypothesis,  the  replacement  of  V\  by  P;l  in  P s(x)  and  Pe  leads  to 
deductions  P7(x)  and  Ps  of 


r,,r2,x:  B  hTAC  W  :  E 


r.,r2  i-tai:  ir  ■.* 


for  appropriate  jV*  and  B*,  where  B*  =.  B.  'l'lien  P4  is  as  follows: 


[x:  B] 
PT(x) 


B*  :  k 


/V-  :  E 


(I'ai'k) 


Ax:  :  B  .  N'  :  (Vx  :  B)/',\ 


(Wei  I) 


(■asc  5.  The  last  inference  of  V  is  by  (Kq“).  Then  P  is 


M  :  B 


M  :  A, 


where  A  =.  B.  By  the  induction  hypothesis,  the  replacement  of  P)  by  P;)  in  P5  leads 
to  a  deduction  P,-,  of 

l*i.  I'a  b-i  Ar  A/"  :  B 

for  appropriate  A/*,  and  P.j  is  obtained  by  adding  an  inference  by  (Kq")  at,  the  end. 
Case  (i.  The  last  inference  in  P  is  by  (—',).  Then  P  is 
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where  M  is  obtained  from  N  by  changes  ofliouiid  variables.  Ily  the  induction  hypothesis, 
the  replacement  of  'D\  by  Va  in  Vs  leads  to  a  deduction  T>«;  of 


I'l.l'a  Hac  AT  :  A 

for  appropriate  N*.  Since  FV(\V)  C  FV(V),  the  changes  of  bound  variables  which  oc¬ 
cur  in  passing  from  N  to  M  will  take  IV*  to  the  desired  M*,  and  so  V4  can  be  obtained 
from  De  by  adding  an  inference  by  (=^,).  ■ 

We  can  use  this  theorem  to  prove  the  subject-reduction  theorem  the  same  way  that 
Lemma  16.39  of  Hindicy  &  Seldin  [IIS8G]  is  used  to  prove  Theorem  16. 'll: 

Theorem  4.9  (Subject-reduction  theorem)  Let  T  be  a  well-formed  environment. 

U 

P  b-|-Ao  M  :  A 

and  M  >  N,  then 

V  bT ac  N  :  A. 

(See  also  the  proof  of  Uindley  A'.  Seldin  [IIS86]  Theorem  15.17). 

As  in  Hindley  &:  Seldin  [1IS86]  §161)2,  the  subject-reduction  theorem  is  related  to 
the  normalization  theorem.  In  particular,  it  tells  us  the  result  of  performing  a  reduction 
step  on  a  valid  deduction  is  another  valid  deduction.  The  reduction  stops  that  interest 
us  are  the  following: 

k  reductions.  A  deduction  of  the  form 
I 

k  :  '»] 

T»,(  x)  V, 

M  .  H  A  x, 

- - -  (VKj  |) 

Ac:/1  .  M  :  (Vx  :  A)ll 

-  ( !•:<,") 

Ac: /I  M  :  (Vc  :C)II 

(Ac:, I  :  M)N  :  [N/r]li 
V4 


V.\ 

N  :  C 

-  (Voe) 


97 


reduces  to 


V3 

N  :  C 


_  (Bq") 

N  :  A 
T- h(N) 

[n/x}M  :  [N/r)H 

V4\ 

where  V4  is  obtained  from  V4  by  replacing  appropriate  occurrences  of  (Ax: a  .  M)N  by 
[N/x\M  according  to  Theorem  4.8. 

Here,  the  formula  A x:a  .  Af  :  (Vx  :£7)Z?  the  cut  formula  of  the  reduction  step.  A 
reduction  is  a  (possibly  empty)  sequence  of  replacements  using  these  reduction  steps. 

A  special  case  of  a  k  reduction  step  is  a  context-reduction  step  or  c-reductton  step  in 
which  B  is  a  context  or  a  supercontext.  A  context-reduction  or  c-reduction  is  a  reduction 
in  which  each  reduction  step  is  a  c-reduction  step.  A  deduction  will  be  said  to  be  context- 
normal,  or  c-normal  if  it  contains  no  cut  formulas  for  c-reduction  steps.  It  turns  out  to 
be  easy  to  prove  that  every  deduction  can  be  reduced  to  a  c-normal  deduction  using  the 
notion  of  the  degree  of  a  term,  and  that  this  partial  normalization  result  is  important  in 
proving  the  full  normalization  theorem. 

Definition  4.8  (Degree;  of  a  term)  Let  A  be  a  term  such  that  there  is  a  step  M  :  A 
in  a  deduction  in  TAC.  Then  the  degree  of  A  relative  to  the  deduction  is  defined  as 
follows: 

(a)  if  A  is  not  a  context  or  a  supercontext,  then  the  degree  of  A  is  0; 

(b)  the  degrees  of  Prop  and  Type  are  I ; 

(c)  the  degree  of  (Vx  :  A)B  is  one  more  than  the  maximum  of  the  degrees  of  A  and  H\ 
and 

(d)  if  A  =.  /?,  then  the  degree  of  A  is  equal  to  the  degree  of  B. 

Since  only  contexts  and  supercontexts  have  nonzero  degrees,  the  definition  of  a  context 
is  enough  to  guarantee  that,  the  degree  of  a  term  relative  t.o  a  deduction  is  well  defined. 

Remark  Since  it  is  not  possible  to  decide  mechanically  for  a  given  term  whether  or  not. 
it  is  a  context  or  a  supercontext,  it  may  appear  that  this  definition  uses  the  law  of  the 
excluded  middle,  which  is  invalid  in  constructive  logic,  to  define  the  degree  of  a  term. 
But  this  is  not  really  the  case;  for  in  calculating  the  degree  of  a  given  context  or  super¬ 
context,  it  is  only  necessary  to  calculate  the  degree  of  terms  A  which  are  either  Prop 
or  Type  or  for  which  there  is  a  step  in  the  deduction  or  the  form  A  :  Type  or  A  :  Prop, 
and  then  the  degree  of  A  can  be  determined  by  which  of  these  situations  occurs.  (It  is 
impossible  to  have  more  than  one  by  Theorems  4.3,  4.4,  4.5  and  4.0,  and  it  is  possible 
to  determine  mechanically  which  occurs.) 
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Note  that  the  degree  of  a  term  relative  to  a  deduction  is  invariant  of  ^-conversion. 


Theorem  4.10  Every  deduction  in  TAC  with  conclusion  M  :  A  can  be  reduced  to  a  c- 
normal  deduction  with  the  same  undischarged  assumptions  and  with  conclusion  N  :  A, 
where  M  t>  N . 

Proof  Let  the  degree  of  a  cut  formula  be  the  degree  of  its  type  with  respect  to  the 
deduction.  Note  that  if  a  cut  formula  is  removed  by  a  reduction  step,  the  degree  of 
another  cut  formula  which  had  lower  degree  before  the  reduction  step  and  which  occurs 
in  the  deduction  after  the  reduction  is  unchanged.  Let  the  index  of  a  deduction  be  the 
pair  ( d,n ),  where  d  is  the  maximum  degree  of  any  cut  formula  in  the  deduction  and  n 
is  the  number  of  cut  formulas  in  the  deduction  with  degree  d.  If  the  pairs  are  ordered 
as  in  the  proof  of  Theorem  1.2,  and  if  reduction  steps  are  carried  out  in  the  same  order 
(the  cut  formula  has  degree  d,  and  there  is  no  cut  formula  with  degree  d  in  D3),  then 
an  argument  like  that  of  the  proof  of  Theorem  1.2  shows  that  every  deduction  can  be 
reduced  to  a  deduction  with  no  cut  formulas.  It  should  be  clear  from  the  nature  of  the 
reduction  steps  that  a  reduction  changes  only  the  term  to  the  left  of  the  colon  in  any 
formula  by  carrying  out  a  sequence  of  contractions.  ■ 

Definition  4.9  The  term  N  of  Theorem  4.10  will  be  called  a  c-normal  form  of  M . 

I11  terms  of  this  definition,  Theorem  4.10  says  that  every  term  to  which  a  type  is 
assigned  by  TAC  has  a  c-normal  form. 

This  partial  normalization  result  is  important  for  the  full  normalization  theorem 
because  it  gives  us  some  useful  information  about  terms  A  for  which  it  is  possible  to 
prove  T  Htac  A  :  Prop.  To  obtain  this  information,  we  need  the  following  lemmas: 

Lemma  4.1  Let  V  be  a  c-normal  deduction  of 

r  I- TAC  A  :  Prop, 

where  T  is  a  well- formed  environment.  Then  either  A  =.  (Vz  :  B)C  for  some  terms  B 
and  C  and  some  variable  x  which  does  not  occur  free  in  T,  or  A  =.  xM\ M2  •  • .  A/;, 
for  some  variable  x,  some  natural  number  p  ( which  may  be  0),  and  some  terms 
M\,  Mn, .  ■  ■ ,  Mp,  and  furthermore,  it  can  be  decided  constructively  which  of  these,  al¬ 
ternatives  holds. 

Proof  Consider  the  last  inference  in  V  which  is  not  by  (Eq"),  (Eq'P),  or  ( ='a ).  This 
inference  cannot  be  by  (V»ci)  since  the  type  of  the  conclusion  is  an  atomic  constant,  so 
the  only  remaining  possible  rules  are  (rcP  Formation)  and  (Ve).  Which  of  these  rules 
actually  occurs  can  be  decided  constructively  (by  inspection  of  the  deduction). 

If  the  inference  is  by  (kP  Formation),  then  there  are  terms  B  and  C  and  a  variable 
x  which  does  not  occur  free  in  T  such  that  A  =,  (Vz  :  B)C. 

If  the  inference  is  by  (Ve),  then  consider  the  left  branch  of  the  deduction.  As  we  travel 
up  that  branch  from  the  bottom,  the  only  inferences  we  find  are  by  (Ve),  (Eq"),  (='„), 


99 


and  perhaps  (Kq'P)  <at  the  very  hottom.  This  means  that  the  formula  at  the  top  of  the 
left  branch  must,  be  an  undischarged  assumption,  and  it  must  therefore  be  in  I’.  It  follows 
that  this  statement  must  have  the  form  x  :  Fi,  where  D  =.  (Vx  :  C[) . . .  (Vx  :  Cr)Prop 
for  some  natural  number  p  (which  may  be  0).  Then  we  must  have  A  xM\  . . .  Mp  for 
some  terms  , . .  . ,  Mp.  ■ 

Definition  4.10  (Simple  and  compound  deductions)  If  V  is  a  deduction  as  in 
Lemma  4.1,  then  it  will  be  called  compound  if  the  first  case  of  the  lemma  holds  and 
simple  if  the  second  case  holds.  If  A  is  a  term  such  that  A  :  Prop  is  the  conclusion  of 
such  a  deduction  V,  then  A  will  be  simple  [compound]  if  V  is  simple  [compound]. 

Lemma  4.2  If  there  is  a  deduction  of 

I'  Hwe  A  :  Prop, 

then  their  is  a  c-normal  deduction  of  it. 

Proof  Let  V  be  the  given  deduction.  By  Theorem  4.10  there  is  a  c-normal  deduction 
of 

I'  b TAc  IF  Prop, 

where  A  >  B.  By  adding  one  inference  by  (Kq'P)  at  the  end,  we  get  the  desired  c-normal 
deduction  of 

I'  b-l’AC  A  :  Prop. 


By  Lemma  4.2  and  Definition  4.10,  every  type  in  Prop  (with  respect  to  a  given 
well-formed  environment)  is  either  simple  or  compound,  and  it  is  possible  to  decide 
constructively  which  it.  is.  iMirthermore,  the  compound  types  are  formed  by  repealed 
use  of  the  operation  V  from  the  simple  types  and  Prop.  Note  that  the  contexts  arc 
formed  in  more  or  less  the  same  way. 

Lemma  4.3  If  'P  is  a  deduction  of 

L  H T.y  (Vx  :  A)B  :  Prop, 

where  r  does  not  occur  free  m  I'  or  in  A  and  where  I'  is  a  well-formed  environment, 
then  there  is  a  deduction  V  of 

I’.x  :  A  b-|,v  B  :  Prop. 

hn  the rm ore .  the  c-normal  deduction  to  which  D'  reduces  has  fewer  inferences  by  mles 
other  than  (l'<|"),  (Kq'ii),  and  (—],)  Ilian  the  c-normal  deduction  to  which  V  reduces. 

Proof  This  follows  from  Lemmas  4  I  and  1.2  ■ 


B 

M 


v.v.wv. 


Theorem  4.11  If 


1'  Itao  M  :  A, 


where  T  is  a  well-formed  environment  and  A  is  not  a  superconlexl,  llicn 

1'  I"  TA<:  A  :  Type 


or 


1'  T TAC  A  :  Prop. 


Proof  By  induction  on  the  length  of  the  deduction  T>  with  the  conclusion  M  :  A. 
The  only  difficult  case  is  that  in  which  the  last  inference  of  V  is  by  rule  (Ve).  Then 
M  =  PN,  A  =  [N  /  x\C ,  and  V  has  the  form 


P\  Pi 

P  :  (V*  :  l))C  N  :  I) 


PN  :  [n/x\C. 


(Vo  e) 


By  the  induction  hypothesis, 


I'  PTAC  (V*  :  H)C  :  k,  (-1,1) 

and 

T  Ttm-  »  :  >i',  (1.5) 

If  we  have  k  =  Type,  then  4.4  must  be  the  conclusion  of  either  (#i"TI'ormation).  the 
premises  being  -1.5  and 

l',x  :  II  I- tac  C  :  Type. 

1  he  conclusion  then  follows  placing  Pj  over  each  occurrence  of  the  assumption  j:  :  II. 
If  k  =  Prop,  we  use-  Lemma  4. if  to  carry  out  a  similar  argument  using  one  of  the  rules 
rules  (kP  Formation).  ■ 

Lemmas  4.1  and  4.2  give  us  a  structure  on  the  types  in  Prop.  If  is  interesting  to  note 
that  the  other  types  have  exactly  the  same  structure.  By  Theorem  4.1  1,  every  type  is 
in  Prop,  in  Type,  or  is  a  supercontext.  It  is  clear  from  the  definition  that  supercontexls 
have  this  structure,  and  Theorem  4.3  tells  us  that  the  same  is  true  for  contexts.  What 
all  of  this  means  is  that  types  are  built  up  from  Type,  Prop,  and  the  simple  types  by  the 
operation  forming  (Vx  :  A)ll. 

Theorems  4.3,  4.4  and  4. 1 1  and  Corollary  -l.ti.l  allow  us  to  classify  all  formulas  which 
can  be  deduced  from  well-formed  environments: 

Definition  4.11  (Classification  of  formulas)  A  formula  M  :  A  is  railed: 

(a)  a  context  function  if  A  is  a  superconlexl  ; 

(b)  a  context  if  /I  Type; 


(c)  a  proposition  function  if  A  is  a  context; 

(d)  a  proposition  if  A  =.  Prop;  and 

(e)  a  proof  if  A  is  neither  a  context  nor  a  supercontext. 

A  deduction  whose  undischarged  assumptions  form  a  well-formed  environment  is  classi¬ 
fied  according  to  its  last  formulas. 

This  classification  shows  the  connection  between  TAC  and  the  formulas-as-types 
isomorphism. 

We  would  like  to  extend  this  classification  to  the  terms  M  (at  least  relative  to  a 
given  well-formed  environment).  In  other  words,  we  modify  Definition  4.11  as  follows: 

Definition  4.12  (Classification  of  terms)  A  term  M  is  called: 

(a)  a  Y-contezt  function  if  there  is  a  supercontext  A  such  that  P  I~tac  M  :  A; 

(b)  a  V-contezt  if  P  I"tac  M  :  Type; 

(c)  a  P -proposition  function  if  there  is  a  context  A  such  that  P  Htac  M  :  A\ 

(d)  a  P -proposition  if  P  Htac  M  :  Prop;  and 

(e)  a  Y-proof  if  there  is  a  term  A  which  is  neither  a  context  nor  a  supercontext  such  that 

P  P'iac  M  'A. 

We  have  already  proved  (Corollary  4.6.1)  that  no  term  is  both  a  P-context  function 
and  a  P-proposition  function  or  both  a  P-contcxt  function  and  a  T-proof.  To  complete 
the  proof  that  this  a  classification  is  exclusive,  we  need  the  following  result. 

Theorem  4.12  //!'  is  a  well-formed  environment,  and  if 

P  !"tao  A/  :  A  and  P  Htac  Atf'  :  I), 

arc  both  derivable,  where  M  and  M1  differ  only  by  changes  of  bound  variables,  then 

.-1  =.  !i. 

Proof  By  induction  on  the  lengths  of  tin*  two  deductions,  V\  and  V •_>  respectively. 

Case  /.  Tin*  last  inference  in  P|  is  by  (Kq").  Assume  that  the  left  premise  is  M  :  A'. 
By  the  induction  hypothesis.  A'  =.  H.  But  A  =,  A',  and  so  A  = .  H. 

('use  S.  'I'lii'  last  inference  in  P_,  is  by  (Kq").  Symmetric  to  Case  1. 

Case  The  Iasi  inference  in  neither  T>  1  nor  V2  is  by  (10q"). 

Subcase  A.  I .  P\  consists  of  the  axiom.  Then  M  is  Prop  and  A  is  Type.  Then  either 
Pn  is  also  the  axiom,  in  which  case  li  is  Type  ami  we  are  finished,  or  else  the  last 
inference  in  P->  is  by  rule  (liq'rc),  in  which  case  aus  Type  by  Corollary  4.6.1. 

Subrase  A.2.  The  last  inference  of  P\  is  by  (K/c'I'ormation).  Then  11  is  n'  by 
Corollary  l.b  '1 

Subcase  I  I.  The  last  inference  of  P,  is  by  (|*k|'tv).  Then  by  Corollary  4. 6.2,  11  is  i;. 
Snbrasi  l..f.  I’he  last  inference  of  Pi  is  by  (Vo  e).  Then  the  last  inference  of  P. 
i»  eillier  (Vo  1  )  or  (l,’q,K.).  If  it  is  (l'.q,s-.).  I  lien  the  theorem  follows  by  Corollary  I  (i.2 


Otherwise,  M  is  A  P,  M‘  is  N'l”  (where  A'  and  /*'  differ  from  A  and  /’  <inly  liy  changes 
in  bound  variables,  /l  is  [/-*/ar]yl',  P  is  [/’/r]/i',  T>\  is 


A : (Vx  :  C)A  ' 


NP  :  [r/x]A\ 


(Vo  e) 


and  V 2  is 


A  :  (Vx  :  l))P'  l>  :  P 

-  (Vo  e) 

A/’ :  [P/x\P' . 

By  the  induction  hypothesis,  C  I)  and  (V*  :  C)/1'  =,  (Vx  :  l))H'.  It  follows  that 
A'  =  *P',  and  hence  A  =.  P. 

Subcase  3.5.  The  last  inference  in  T>\  is  by  (V»ci).  'l'hen  the  last  inference  in  7\,  is 
by  (V/ci),  M  is  \x:C  .  A,  M'  is  \r.:C  .  N'  where  N  and  A'  differ  by  changes  in  hound 
variables,  A  is  (Vx  :  C)A',  and  P  is  (Vx  :  ( ')P' .  (There  is  no  loss  of  generality  in  assuming 
that  the  indicated  bound  variable  is  r  in  both  M  and  A/'  because  if  tin-  bound  variables 
are  different  a  minor  modification  of  />•_,  will  make  them  the  same.)  I'urt heriiiore.  T>t  is 


A  :  A1 


A x.C  A  :  (Vj  :  C)  V 


(V*ii  I) 


and  P't  is 


A'  :  It' 


(Vic'i  I) 


A  x.C  ,\"  :  (Vj-  ( •)/(' 

By  the  induction  hypothesis,  .-I'  — .  IP,  and  it  clearly  follows  that  .1  .  II 

Subcase  :l .(>.  The  last  inference  in  P\  is  by  (  |t)  This  case  is  trivial  ■ 

Corollary  -1.12.1  Pur  any  wcll-foi  mill  cnvuviniit  nt  I',  no  Item  is  Imlh  u  l-/ini;ies//i(oi 
function  ami  a  Y -proof 
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Proof  Suppose  M  is  both  a  ('-proposition  function  and  a  I'-proof.  Then  there  is  a 
[’-proposition  B  and  a  I'-contcxt  C  such  that 


1'  PTAC  Af  :  I)  and  1'  hTAC  M  :  C. 

Hence, 

I'  I  tac'  B  :  Prop  and  l'  P-pAC  C  :  Type. 

Ry  the  theorem,  B  =.  C.  Hence,  by  the  Churoh-Rosser  Theorem,  there  is  a  term  D  to 
which  both  B  and  C  reduce  which  can  be  proved  on  the  basis  of  P  to  be  in  both  Prop 
anti  Type,  contradicting  Corollary  4.6. ‘2.  ■ 

Theorem  4.10  gives  us  the  following  characterization  of  ('-proposition  functions: 

Theorem  4.13  (1)  /I'  is  a  well-formed  environment,  and  if  A  is  a  T-proposition  func¬ 
tion  which  is  not  a  proposition,  then  either  each  c-normal  form  of  A  has  the  form 
A x:B  :  C,  in  which  case  the  type  assigned  to  A  by  T  converts  to  (Vx  :  B)F,  where  F  ts 
a  context,  or  each  c-normal  form  of  A  has  the.  form  xM\  .  .  .  Mn. 

Proof  Ry  hypothesis,  there  is  a  c-normal  deduction  of 

I’  Ptm:  1)  ■  (Vx  :  B)F, 

where  A  O  I).  which  is  a  c-normal  form  of  it,  and  B  is  a  context.  Kxcept  for  (ICq'/) 
and  (  =  „),  which  make  no  difference,  the  last  inference  in  this  c-normal  deduction  must 
be  (V/ci)  or  (Vo  e).  If  it  is  (Vku),  we  are  done.  If  it  is  (Vue),  then  proceed  up  the 
left  branch  to  the  first  formula  which  is  not  the  conclusion  of  an  inference  by  (— ►  e)  or 
(Vo  e).  Since  the  deduction  is  c-normal  and  since  P  is  a  context,  this  formula  is  not  the 
conclusion  of  an  inference  by  (V*ii).  Hence,  it  is  an  assumption,  and  l)  has  the  form 
xM i  . .  A/„,  as  desired.  ('That  all  c-normal  forms  of  A  are  of  the  same  kind  follows  by 
the  ( ’hurch-Hosser  Theorem.)  ■ 

Ry  iterating  the  theorem,  and,  if  necessary,  replacing  terms  M  by  \y,B,  .  My, , 
where  ;/,  is  not  free  in  A/,  we  can  prove  the  following  corollary: 

Corollary  4.13.1  I  'rider  the  hypotheses  of  the  theorem,  if 

P  PTA(.  A  :  (Vx,  :  /(,)...  (Vx„  .  B„)  Prop, 

thru  either  A  Ax  i :  /#i  .  ...A  x„://„  .  A',  where  A'  is  a  P -context,  or  else  every  c- 
normal  form  of  has  the  form  xM\  .  .  A/„ 

Remark  It  is  worth  pointing  out  that,  as  we  have  formulated  TAC,  there  is  nothing  to 
exclude  making  an  assumption  of  the  form  x  :  A,  where  A  is  a  supercontext.  We  have 
not  considered  such  assumptions  so  far,  and  the  early  formulations  of  TAC  excluded 
them.  Rut  liny  do  no  harm,  since  the  rules  of  the  system  prevent  the  discharge  of 
• » 1 1 >  such  assumption  furthermore,  they  will  turn  out  to  he  useful  in  practice,  since 


undischarged  variables  inay  be  thought  of  as  new  constants  added  to  the  system.  But  if 
such  assumptions  are  allowed,  then  it  is  no  longer  true  that  anything  that  can  be  proved 
to  be  in  Type  is  a  context  in  the  sense  of  Definition  4.4;  it  might  convert  instead  to 

(Vxj  :  j4i)  . . .  (Vx„  :  An)xBi  . .  Bm. 

If  we  allow  such  terms  to  be  contexts  in  a  generalized  sense,  then  different  assump¬ 
tions  can  result  in  the  same  formula  having  different  classifications  according  to  Def¬ 
inition  4.11.  For  example,  let  Ti  be  x  :  Type  and  let  T2  be  x  :  Prop;  then  y  :  x  is  a 
Ti -proposition  and  a  IVproof.  Furthermore,  the  definition  of  well-formed  environment 
(Definition  4.3)  would  have  to  be  modified  to  allow  any  of  the  A{  to  be  a  supercontext. 
(Definition  4.5,  of  a  well-formed  context,  would  then  have  to  differ  from  Definition  4.3, 
since  none  of  the  Ai  of  a  standard  form  of  a  well-formed  context  can  convert  to  a  su¬ 
percontext.)  In  Definition  4.8,  it  is  necessary  to  specify  that  the  rank  of  xB i . . .  Bm  is 
1  if  x  :  (Vxi  :  Ai) . . .  (Vxm  :  Am)Type  is  assumed  in  the  deduction.  In  connection  with 
Definition  4.10,  a  term  of  the  form  xi?i . . .  Bm ,  where  x  :  (Vxi  :  di) . . .  (Vxm  :  /lm)Type 
assumed  in  the  deduction,  will  be  called  a  simple  generalized  context.  Finally,  it  is 
important  to  specify  that  no  substitutions  be  made  for  variables  assumed  to  be  in  su¬ 
percontexts;  they  must  behave  like  constants.  In  what  follows,  we  shall  assume  that 
these  modifications  have  been  made. 


I 


4.3  The  strong  normalization  theorem. 

It  migiit  appear  that  to  prove  the  normalization  theorem  it  is  sufficient  to  combine  Theo¬ 
rem  4.10  with  a  similar  result  for  reduction  steps  whose  cut  formulas  are  not  propositions. 
But  this  fails  to  work,  for  on  the  one  hand,  such  a  reduction  step  may  require  that  a 
type  of  arbitrary  complexity  be  substituted  for  a  variable  that  is  part  of  an  assumption 
that  is  also  a  sentence,  and  on  the  other  hand,  a  reduction  step  whose  cut  formula  is 
a  proof  may  introduce  a  new  cut  formula  which  is  a  proposition  and  whose  type  is  a 
context  of  arbitrarily  high  degree. 

On  the  other  hand,  Theorem  4.10  is  of  help  in  proving  normalization,  for  it  shows 
(via  Lemma  4.3)  that  the  types  which  are  proved  to  be  in  Prop  can  be  formed  from  the 
simple  types  and  Prop  by  V  in  much  the  same  way  that  the  types  of  TAP  are  formed 
from  type  variables  by  the  type  constructors.  This  turns  out  to  make  it  possible  to 
adapt  a  proof  of  normalization  for  TAP  to  TAO.  The  proof  we  have  chosen  to  adapt  is 
a  proof  of  strong  normalization  due  to  Stenlund  [Ste72]  §5.6.  However,  the  proof  needs 
to  be  modified  in  much  the  way  that  the  proof  of  (Mar71a)  is  modified  in  [Mar 73], 

Convention  Let  V  be  a  deduction  whose  conclusion  is  M  :  A,  where  A  =,  (Vi,  : 
A, )  .  . .  (Va:n  :  A„)U ,  and  for  i  —  1 , . . . ,  n,  let  T>\  be  a  deduction  with  conclusion  M,  :  .4', 
where 

K  =  [M\/x\ , . . . ,  Af,_i  A'i-lMi- 

Then 

P 

M  :  A 

{T> . P,,} 

will  denote  the  deduction 


P 

M  :  ,1 

U  :  (Vi,  :  .4,)..  (Vi„  :  An)H 


V, 

M,  :  A\ 


A/i/j 

i](Vi, 

:  A-,) .  .  .  (Vr 

M  i  • 

M„  - 1 

:  (Vi,,  :  ,i;,) 

where  /r  =  [A/,/i, _ A/„  . ,  /j:„  ,]/<  and  /f"  =  [A/,/x,, 

I  lien  il  will  denote  P  it.self.) 


.A/„/rn]W.  (If  »  =  0. 


•W 


Definition  4.13  (TyjK!  of  a  deduction)  If  V  is  a  deduction  whose  conclusion  is  M  : 
A,  then  A  is  called  the  type  of  T>. 

Definition  4.14  (Strongly  normal  deduction)  A  deduction  V  is  said  to  he  strongly 
normal  (SN)  if  every  reduction  starting  with  V  terminates  in  a  normal  deduction. 

Our  aim  is  to  prove  that  every  deduction  is  SN. 

Remark  In  the  proof,  we  will  he  making  important  use  of  the  classifications  in  Defini¬ 
tion  4.11.  We  will  also  be  discussing  a  number  of  deductions  at  the  same  time.  It  will  be 
important  that  each  formula  in  each  deduction  be  classified  the  same  way  in  any  other 
deduction  under  consideration.  For  this  purpose  we  will  need  to  know  that  the  well- 
formed  environments  of  different  deductions  are  all  consistent  in  that  none  of  them  have 
assumptions  assigning  different  types  to  the  same  variable.  To  ensure  this  consistency, 
we  will  assume  that  we  are  starting  with  a  generalized  well-formed  environment  r0  that 
is  an  infinite  set  rather  than  a  finite  sequence  of  assumptions.  All  well-formed  environ¬ 
ments  actually  considered  will  draw  their  assumptions  from  I'o,  and  no  variable  will  be 
assigned  more  than  one  type  in  l'0.  Furthermore,  we  shall  assume  that  any  finite  subset 
of  To  can  be  extender!  to  a  larger  finite  subset  of  l’n  whose  elements  can  be  ordered  in 
such  a  way  that  it  is  a  well-formed  environment.  For  any  deduction  under  consideration, 
we  shall  assume  that  its  discharged  assumptions  belong  to  To;  such  a  deduction  will  be 
called  To-acceptable.  A  term  which  is  the  type  of  a  l'o-acccptable  deduction  will  be 
called  a  Fo-type.  We  shall  assume  that  any  term  is  a  F0-type  which  can  be  built  up 
from  Prop,  Type,  and  the  simple  types  and  simple  generalized  contexts  obtainable  from 
assumptions  in  r0.  (This  assumption  is  easy  to  satisfy,  if  we  start  with  a  candidate  for 
To  for  which  it  is  not  true,  we  extend  it  with  new  assumptions  (for  new  variables),  and 
we  keep  doing  this  until  there  are  enough  assumptions.)  A  l'o- proposition  variable  or 
type  A,  where  A  is  a  context,  is  a  variable  x  such  that  r  :  A  is  in  Fn.  And  finally,  a 
I'o-term  of  type  A  is  a  term  M  such  that  M  :  A  is  provable  from  assumptions  in  Fn. 

Definition  4.15  (Ground  type  set)  A  sol  .S  of  l’o-accoptab|e  deductions  is  a 
grounded  typo  set  (ground)  if  tin*  following  three  conditions  are  satisfied: 

(a)  Every  deduction  in  .S'  is  SN; 

(b)  If  "P\(N)  is  a  part,  of  a  deduction  obtained  from  a  deduction 


by  substituting  N  for  x,  if  V3  is  SN,  and  if 

Z>3 

N  :  C 

-  (Kq") 

N  :  A 

r>,  (N) 

[N/x]M  :  [N/x]li 
1>i 

is  in  S,  then 

1 

[*  :  A] 

Vx{x)  V2 

A  l.B  A  :  k 

Xx:A  .  M  :  (Vx  :  A)Ii  (V>V  '  ^ 

-  (E q") 

Xx-.A  .  A/  :  (Vx  :  C)H 

(Xx:A.M)N  :  [N/x]l1 

is  also  in  .S;  and 
(c)  If  T>\ , . . . ,  V„  arc  .SN,  and  if 

x  :  A 

<*>■ . 

is  a  I'o-acceptablc  deduction,  then  il.  is  in  S.  A  ground  in  which  all  of  the  deductions 
have  a  given  type  A  will  be  called  a  (/round  of  type  A. 

Examples  The  set  of  all  SN  I’o -acceptable  deductions  is  a  ground.  This  ground  will  be 
called  SN.  If  A  is  a  1'o-fypc',  then  the  set  of  all  I'n-acceptable  deductions  of  type  A  is  a 
ground  of  typo  A;  if  is  called  SN^. 

Definition  4.1G  (Proposition  term)  A  proposition  trim  is  a  term  A  such  that  A  ;  li 
is  a  proposition.  A  proposition  term  which  is  also  a  variable  is  a  proposition  variable.  If 

l<  ...  (Vx,  :  /f| ) . . .  (Vx„  :  H„)  Prop,  then  terms  A/, . M„  such  that  for  i  -  1,2, ....  11, 

A/,  |/f|/x|,  .  ,  /f,  _  i/x,.  1  ]H,  can  be  proved  from  hypotheses  from  I',,,  will  be  called 


N  :  C 

-  (Ve) 
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argument  terms  of  A.  !f  n  =  0,  then  the  1«tiii  [variable]  is  railed  a  sentence  term 
[sentence  t»ana6/e].  (Note  that  if  A  is  a  proposition  term  and  Mi, ... ,  A/„  are  argument 
terms  of  A,  then  AM\  . . .  Mn  :  Prop  can  he  proved  from  assumptions  in  T.) 

For  the  next  definition,  we  need  to  recall  what  we  know  about  To-types.  We  know 
that  any  such  type  (except  a  supercontext)  can  he  proved  (from  assumptions  in  To)  to 
be  in  Prop  or  in  Type,  and  that  a  deduction  proving  that  A  is  in  Prop  or  Type  which  has 
been  transformed  by  Theorem  2.5  can  end  with  an  inference  by  rule  (Eq'»i).  If  wc  take 
such  a  deduction  which  is  c-normal  and  delete  this  last  inference,  we  get  what  we  might 
call  a  standard  form  of  A,  to  which  A  converts.  If  wc  add  to  those  standard  forms  the 
standard  forms  of  the  supercontcxts,  then  this  standard  form  will  cither  be  Prop,  Type, 
a  simple  type,  a  simple  generalized  context,  or  else  will  have  the  form  (Vx  :  B)C.  When 
we  speak  of  making  a  definition  by  induction  on  the  structure  of  a  type,  we  will  mean 
by  induction  on  the  number  of  occurrences  of  V  in  its  standard  form.  This  mirrors  the 
construction  of  the  type  from  Prop  and  the  simple  types  by  the  universal  type-forming 
operator.  We  can  indicate  this  induction  by  the  following  definition: 

Definition  4.17  (Rank  of  a  l’o-type)  The  rank  of  a  To-type  A ,  rk(d),  is  defined  as 
follows: 

(a)  if  A  is  a  simple  type  or  a  simple  generalized  context,  rk(/l)  =  0; 

(b)  rk(Prop)  =  rk(Type)  =  0;  and 

(c)  rk((Vx  :  A)B)  -  rk(/l)  +  rk(»)  +  1. 

Definition  4.18  (Computability  predicate)  bet  M  be  a  I  n-term  of  type  A.  By 
induction  on  rk(/l),  a  computability  predicate  of  type  M,  denoted  p[M]  is  defined  as 
follows: 

(a)  if  A  is  not  a  context,  then  p[M]  =  M ; 

(b)  if  A  Prop  or  Type,  then  p[M)  is  a  ground  of  type  A/ ;  and 

(c)  if  A  =.  (Vxi  :  /l|)...(Var„  :  /l„)Prop,  then  p[M]  is  a  function  whose  arguments 
are  computability  predicates  p[A/, ],  . . .  ,p[A/,,]  of  types  A/|, .. . .  Af„,  where  each  ,  is  a 
I'o-term  of  type  d,-,  and  whose  value  is  a  ground  of  type  M  M\  .  . .  A/„. 

For  the  next  definition,  we  need  to  proceed  by  a  kind  of  induction  on  the  structure 
of  a  term.  For  this  induction,  we  need  to  note  that  if  a  term  A  is  not  a  IVproof,  then 
it  is  a  Fo-proposition  function,  a  Fo-coutext  function,  or  a  supercontext.  Thus,  if  A  is 
not  a  IVproof,  then  it  converts  to  Prop,  Type,  a  I'n-simplc  type,  a  I'n-simple  generalized 
context,  (Vx  :  H)C  (where  B  is  neither  a  supercontext  nor  a  proof  and  where  ( '  is  not 
a  proof),  or  A x  :  B  .  C  (where  B  is  neither  a  superconlext  nor  a  proof  and  where 
C  is  neither  a  supercontext  nor  a  proof).  Here  B  and  C  are  essentially  simpler  than 
A\  furthermore,  if  A  converts  to  a  simple  type  xM|  . . .  A/„,  then  each  A/,  is  essentially 
simpler  than  A.  This  justifies  the  following  definition  by  induction  on  the  “structure  of 
A”. 


Definition  4.19  (Computability  object)  bet  A(x\ , . . . ,  r„ )  be  a  term  all  of  whose 
free  variables  which  are  not  assigned  to  supercontexts  in  F0  occur  in  the  list  j-| . j-„  . 


Let  A\,...,An  be  To-tcrms  of  the  types  of  xi, . . . ,  x„  respectively.  Let  p[Ai], . . .  ,p[A„] 
be  an  assignment  of  computability  functions  to  the  terms  A\,...,An.  Relative  to 
this  assignment  we  shall  define  by  induction  on  the  structure  of  A{x\, . . . ,  x„)  a  com¬ 
putability  object  C[j4(xi  , . . . ,  i„)]  (p[yli], . . .  ,  p[/4n]),  which  will  contain  deductions  of 
type  A(A\,...,An)  if  A{xi,...,xn)  is  a  IVtype.  To  simplify  the  notation,  we  let 
x  be  the  sequence  x\,...,x„,  A  the  sequence  Ai, . . . ,  An,  and  p[A]  be  the  sequence 
p[i4i],...,p[/l„]. 

(a)  if  A(x)  is  a  IVproof,  then  C[>l(sr)](;j(Aj)  is  the  term  A(A)  itself; 

(b)  if  A(x)  =.  Prop,  Type,  or  a  Fo-simple  generalized  context,  then  C[/l(;e)](p[A])  = 


(c)  if  A(x)  =.  XiMi(x) . . .  Mm(x)  and  is  neither  a  To-proof  nor  a  To-simple  generalized 
context,  then  C[/l(z)](p[A])  is  p[/ti](C[ATi(a:)](p[A]),  ....  C[Mm(x)](p[A]); 

(d)  if  /t(x)  =.  (Vx  :  B(x))C(x,x),  where  B(x)  is  not  a  context,  then  C[A(z)](p[A])  is 
the  set  of  all  F0-acceptable  deductions 


M  :  A(A) 


such  that  if 


N  :  B(A) 


is  in  C[B(x)](p[A]),  then 


M  :  /1(A) 


M  ■  (Vx  :  B(A))C(x,A) 


N  :  11(A) 


MN  :  C(/v ,  A), 


is  in  C(C(JV,z)j(p[A|); 

(e)  if  A(x)  =.  (Vx  :  B(x))(  '(x,  x)  where  B(x)  is  a  context,  then  C[/l(x)](p[A])  is  the 


set  of  all  To-acceptable  deductions 


M  :  A(A) 


such  that  if 


/•:.  i)(A) 


uwiyw 


is  in  C[B(z)](p[j4])  and  if  p[£]  is  any  computability  predicate  assigned  to  E,  then 


M  :  A(A) 

M  :  (Vx  :  B(A))C(x,A) 


E  :  B(A) 


ME  :C(E,  A), 


is  in  C [C(x,  *)](p[£],p[A]);  and 

(f)  if  A(x)  =.  Ax  :  B(x).C(x,x)  and  is  not  a  I’o-proof,  then  C[i4(x)](p[A])  is  a  func¬ 
tion  whose  argument  is  a  computability  function  of  type  A,  where  A  is  a  To-tcrm  of 
type  B(A)  (the  type  of  x),  and  whose  values  are  given  by  (C[A(x)](p[A]))(p[.4])  = 
C[C(*,*)](p[A],p[A])). 

Remarks 

1.  In  case(d),  note  that  since  B(x)  is  not  a  context  and  since  N  :  B(A),C(N,  x)  must 
have  the  same  structure  (with  respect  to  the  construction  of  types)  as  C(x,  x).  The 
division  into  cases  between  (d)  and  (e)  is  precisely  the  distinction  between  terms 
which  can,  after  substitution,  change  the  structure  of  the  type  in  an  essential  way, 
and  dealing  with  this  possible  change  is  one  of  the  main  difficulties  of  the  proof. 

2.  In  cases  (d)  and  (e)  of  this  definition,  we  are  assuming  that  x  does  not  occur 
free  in  A.  Since  x  does  not  occur  in  B(A),  this  is  immediate  for  those  A,  which 
actually  occur  in  B(A),  and  for  those  which  do  not  occur  in  C(x,A),  there  is 
clearly  no  problem.  For  those  Ai  which  occur  in  C(x,  A)  but  not  in  B(A ),  since 
we  automatically  change  bound  variables  to  avoid  clashes  when  we  carry  out  a 
substitution,  the  fact  that  the  bound  variable  is  x  implies  that  it.  does  not  occur 
free  in  these  Ai. 

3.  Case  (c)  of  this  definition  makes  sense  only  if  C[/l(x)](p[A])  is  a  computability 
predicate.  This  will  be  proved  below  (Lemma  4.6). 

Lcinnin  4.4  (a)  If 


{Vu...,Vn) 

for  n  >  0  is  a  deduction  of  type  A(A),  and  if  T>\,  . ...  T>„  are  all  SN,  then 

x  :  B 

(Z>i . Vn) 

is  in  C[A(x)](p[A];. 

(b)  Every  deduction  in  C[/4(x))(p[A)<)  is  SN.!* 


Proof  By  induction  on  the  structure  of  Note  that  A(x)  is  not  a  To-proof  and 

does  not  convert  to  A x:B(x)  .  C(x,  x). 

Case  1.  A(x)  =.  Prop,  Type,  or  a  1'o-simple  generalized  context.  Since 

x  :  U 

{Vi . Vn ) 

is  SN  whenever  T>i,  . . . ,  X>n  are  SN,  (a)  follows  by  Definition  4.19(b).  Part  (b)  follows 
immediately  by  Definition  4.19(b). 

Case  2.  A(x)  =.  X{Mi  . . .  Mm  and  is  not  a  To-generalized  context.  Part  (a)  holds  by 
Definition  4.15(c)  and  Definitions  4.18  and  4.19(b).  Part  (b)  holds  by  Definition  4.15(a) 
and  Definitions  4.18  and  4.19(b). 

Case  3.  A(x)  =.  (Vx  :  B(x))C(x,x),  where  B(x)  is  not  a  context.  To  prove  (a),  let 

V 

M  :  A(A) 

lie  a  deduction  in  C(/l(x)](;»(A])  and  let  x  :  D(A)  be  an  assumption  in  To  for  which  x 
does  not  occur  free  in  V.  (We  may  assume  without  loss  of  generality  that  the  bound 
variable  x  lias  been  changed  if  necessary  to  assure  that  there  is  such  an  assumption  in 
To  )  By  the  induction  hypothesis  (a)  (with  n  =  0),  x  :  B(A)  is  in  C(B(x)](p[A|).  Hence, 
by  Definition  4.19(d), 


V 

M  :  A(A) 


M  :  (Vx  :  /f(A))C(x,A) 


(Kq") 


x  :  If  (A) 


Mr.  :  C(x,  A) 


(Ve) 


is  in  C[C(x, x))(|>[A]).  Hence,  by  the  induction  hypothesis  (b),  this  deduction  is  SN. 
Hence,  V  is  SN. 

To  prove  (b),  let 

?/  ••  V 

{V, . />„} 

be  a  f'o-acceptable  deduction  of  type  A(A)  where  Vi,  • .  • ,  V„  are  all  SN,  and  let 


wvwuirwNnpuifv^ir^  v\*  wwwlf^^#^JW^^vv  vnjvvwwwvvwtovu  wswmwvvu  wrcwwirmwfuwww 


be  in  C[B(x)](j>(A]).  By  the  induction  hy|>otliosis  (b),  P  is  SN.  Ilcncc,  by  the  indticlioii 
hypothesis  (a), 

y.E 

is  in  C[C(lV,x)](p{A]).  Hence,  l>y  Definition  4.10(d), 

.V  :E 

{ vu...,v„ } 

is  in  C[/t(x)](p{A]). 

Case  4 ■  A(x)  =.  (Vx  :  B(x))C(x,x),  where  li(x)  is  a  context.  To  prove  (a),  let 


M  :  A(A) 

be  in  C[A(x)](p[A\),  and  let  x  :  11(A)  be  an  assumption  in  l’o.  By  the  induction 
hypothesis  (a)  (with  «  =  0),  x  :  H(A)  is  in  C[/i(x)](p{A]).  By  Definition  4.19(e), 


M  .  /1(A) 

M  :  (Vx  :  R(A))C(r,A) 


x  :  li(A) 


Mx  :  ('(x,  A) 


is  in  C[C(x,x)](p[x],|i[A])  for  all  p[x).  By  the  induction  hypothesis  (b),  it  is  SN.  Hence, 
PisSN. 

To  prove  (b),  let 

»/ :  E 

{P. . P„) 

be  an  fo-acceptable  deduction  of  type  A(A)  where  V\ ,  . . . ,  P„  are  all  SN,  and  let 


E  ■  n(A) 

be  in  C[/l(x)](p[A]).  By  the  induction  hypothesis  (|>),  P  is  SN.  Hence,  by  the  induction 
hypothesis  (a), 

:  E 

{P« . P,„P} 
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Proof  By  induction  on  the  structure  of  A(x).  Again,  A(x)  is  not  a  I'o-proof  and  does 
not  convert  to  Xx:B(x)  .  C(x,x). 

Case  1.  A(x)  =,  Prop,  Type,  or  a  IVsimple  generalized  context.  The  lemma  follows 
from  Definition  4.19(b)  and  the  fact  that  4.7  is  SN  whenever  4.6  is  and  the  hypotheses 
of  the  lemma  are  satisfied. 

Case  8.  A(x)  =.  x\M\ . . .  Mm  and  is  not  a  To-simple  generalized  context.  The 
lemma  holds  by  Definition  4.15(b)  and  Definition  4.19(c). 

Case  S.  A( x)  =,  (Vx  :  B(x))C(x,  *),  where  B(x)  is  not  a  context.  By  hypothesis, 
(4.6)  is  in  C[A(*)](p[A]).  Let 

D 

P  :  B(A) 

be  any  deduction  in  C(Z?(se)](p[j4]).  Then  by  Definition  4.19(d)  we  have 


Vs 

N  :  C 

-  (Kq") 

N  : 

Vx  (AO 

[N/x]M  :[N/x)B{V, ' . Vn',  V ) 

is  in  C[C(P,  ar)](p[A]).  By  the  induction  hypothesis, 


1 

I*  :  E\ 

P,(r)  V2 

M  :  B  K  :k 

Ax: E  .  M  :  (Vx  :  E)B 
A x.E  .  M  :  (Vx  :  C)B 


(Vrc  i 
(Kq") 


1) 


(A r.lC:  M)N  :[N/x]H 
{Vi Vn',V\ 


Vs 

N  :  C 

-  (Vo) 


is  in  C[C(P, x)](p[A]).  Hence,  by  Defiuitiou  4.19(d),  (4.7)  is  in  C[/l(x)](p[A]). 

Case  4-  A(x)  (Vx  :  B{x))(’(x,x),  where  B(x)  is  a  context.  By  hypothesis,  4.6  is 
in  C(A(x))(p[A)).  Let 


V 


be  any  deduction  in  C[/J(j;)](j>[A]),  and  let  p(F]  be  a  computability  function  for  F. 
Then  by  Definition  4.19(e)  we  have 


V3 

N  :  C 


N  :  E 

r>i(N) 

[N/x]M  :  [N/x]B 

{XV . Vn',V) 


is  in  C[C(x,  x)](p[F],  |>[A]).  Dy  the  induction  hypothesis, 


1 

[x  :  E) 

T>i(x)  V, 

M  B  E  k 


V3 

N  :  C 

-  (Ve) 

(Xx.E  :  M)N  :  [N/x]B 

{*>.' . n/,7?} 


A x.E  .  M  :  (Vx  :  E)B 
A x.E  .  M  :  (V*  :  C)B 


(V«.i  -  1) 

(Bq") 


is  in  C[C(x,  x)](j>[F],j>[A]).  Hence,  l>y  Definition  4.19(e),  4.7  is  in  C[A(x)](p[A]).  ■ 

Lemma  4.6  If  /t(x)  and  j>(A]  satisfy  the  hypothesis  of  Definition  f.19,  then 
c[--H*)](j'[A])  is  a  ground  for  each  term  <4(A). 

Proof  Lemmas  4.4  and  4.5.  ■ 


1  lie  following  lemma  makes  sense  because  of  Lemma  4.6. 

Lemma  4.7  (Substitution)  Leix  hr  a  variable  which  is  not  assigned  a  supercontexi  as 
a  type  by  I  q,  let  A(x,  y)  be  any  I  o -type,  and  let  B(y)  be  a  term  which  can  be  shown  from 
I  n  to  have  the  same  type  as  x,  where  y  includes  all  variables  except  x  which  occur  free 
anil  whirl >  are  not  assigned  snprreontrxts  as  types  by  f’o.  Let  C  be  a  sequence  of  terms 
of  the  same  types  as  the  variables  in  y  and  let  p\C ]  be  an  assignment  of  computability 
predicates  to  the  terms  in  C.  Then 


C[d(x,  ?/)j(C[/i(C)](j»[Cj),  7»[CJ)  =  C[A(B(y),y)}(v[C}). 


fVTwvjrv  TWFvntjnLFvr  x*  1/  an  uiktuv  vwwwavs 


r  a  ^  v*jr»>r^jir»jr’jr7,jfTjr'  jtkji  rj»  <\*ns -. 


Proof  By  induction  first  on  the  rank  of  the  type  of  B(y)  and  second  on  the  structure  of 
A(x,y).  For  simplicity,  let  p{B(C)]  abbreviate  C[B(y)](p[C]).  (This  is  a  computability 
predicate  by  Lemma  4.6.) 

Case  1.  A(x,y)  is  a  To-proof.  Then  both  sides  are  A(B(C),C)  by  Definition  4.19(a). 
In  the  remaining  cases,  we  may  assume  that  A{x,  y)  is  not  a  IVproof. 

Case  2.  x  does  not  occur  free  in  A(x,  y).  Then  the  lemma  is  trivial.  This  takes  care 
of  the  cases  in  which  ;4(x,y)  converts  to  Prop  or  Type. 

Case  3.  A(x,y)  =.  zM\  . . .  Af„,  a  simple  generalized  context.  Then  z  is  assigned 
a  supercontext  as  a  type  by  To  and  hence,  by  hypothesis,  is  distinct  from  x.  Then  by 
Definition  4.19(b),  each  side  consists  of  the  set  of  all  SN  deductions  of  type  A(B(C),  C). 

Case  4 .  A(x,  y)  =.  yM i(x,  y) . . .  Af„(x,  y),  where  y  £  x  is  one  of  the  variables  in  y, 
and  C  is  the  term  in  C  corresponding  to  y.  Then 

CM(x,y)](p[B(C)),p[C])  = 

p(C](C[M,(x,  y)](p(B(C)j,  P[C]), ....  C(Af„(x,  y)](p{B(C)],  p[C])), 

and  since  A{B(y),y)  =.  yMi(B(y),y)...Mn(B(y),y), 

C[A(B(y),  y)](p[C])  =  (p{C])(C[M1(B(y),  y)](p[C)), . . . ,  C(Mn(B(y),  y)](p[C])). 

The  lemma  follows  by  the  induction  hypothesis. 

Case  5.  >l(x,y)  =.  xM\(x,  y) . . .  Mp(x,  y).  For  simplicity,  write  this  as  xM(x,y). 
Then  the  type  of  x  and  B(y)  is 

(Vz,  :£,)... (Vz,:fl,)G, 

where  G  is  either  Prop  or  a  To-simple  context  function,  and  so  B(y)  is  a  proposition 
function.  By  Definition  4.19(c), 

C[/t(x,y)](p[B(C)],p[C])  =  p(B(C)](C[M(x,y)](p[B(C)],p[C])). 

By  the  induction  hypothesis,  the  right-hand  side  equals 

p(C)(C(M(C,y))(p(C))), 
which,  by  our  abbreviation  for  p[B(C)],  is 

C[B(y)](p[C))(C[M(«(y),y)](p(C])). 

If  p  =  0,  we  are  finished,  since  A(B(y),y)  =.  B(y)  and  M(B(y))  is  void,  so  this  is  just 

C[/l(B(y),y))(p[C)), 

as  desired.  If  p  >  0,  then  we  have  the  following  subcases  according  to  Corollary  4.13.1: 


fm 


*  V  >  V  V 


mm 

'v/v'v 

•  • 


Subcase5.l.  B(y)  — .  Xz\:E\  .  ...  \zp:Ep  .  /•'(*,  y),  when:  z  is  the  sequence  zj, zp. 
By  Definition  '1.19(f), 

C[«(y)](p[C])(C[Af /?(»),  tf)J(p[C])) 

is 

C[5(!/)*](P[C],  C[MH(y),  y)](p[C])). 

By  the  induction  hypothesis  on  the  type  of  B(y),  this  is 

C[B(y)M(B(y),y)](C:P,op), 

and  since  A(B(y),y)  =.  B(y)M(B(y),  y),  we  are  done. 

Subcase  5.2.  B(y)  =.  yiN\(y) . . .  A^(y),  which  we  may  as  well  abbreviate  as  yiN(y). 
Then  A(B(y),y)  =.  yiN(y)M(B(y),y).  Now  by  Definition  4.19(c), 

C[B(v)](p[C])(C[M/?(y)ty)](plC])) 

is 

p[C1](C[7V(y)](p[C)))(C[M/i(y),y)](,,[C])), 

but  this  is  the  same  thing  as 

p[Q](C[yV(y)](p[C]),C[M/i(y),  y)](v\ {<?])), 
and  by  Definition  4.19(c),  this  is 

CM(«(y).y)](HC]), 

as  desired. 

6Vi.sc  G.  A(x.,y)  =.  (Vc  :  E(x,y))F(z,x,y),  where  E{x,y)  is  not  a  context.  By  the 
induct  ion  hypothesis, 

c[/:(r,7/)](p[//(c)j,7)[c])  =  c[/;(/;(?/),y))(7,[cj) 

and,  for  any  term  A'(y)  such  that  there  is  a  l’„-acceptable  deduction  ending  in  N(C) 
/-( B(C)). 

C[l'(z,r,  y)](/>[ //(C)],  p[rj)  q /■’(:,  B(y),  j/)](p(C]) 

By  Definition  4.19(d),  the  lemma  follows. 

Case  7.  A(x,y )  =.  (Vz  :  E(x,y))F(z,x,y),  where  E(x,y)  is  a  context..  Similar  to 
Case  4  using  Definition  1.19(e).  ■ 

Notation  In  the  following  lemma,  x  will  denote  the  sequence  xj,...,xn,  y  the  se 
quenre  TV  the  sequence  N  |  ,  ..  .  ,  A'„ ,  B  the  sequence  Bt,  .  .  . ,  Hm,  and 

the  sequence  />[//, ) - ]>[Bm\.  Furthermore,  /1'+l,  for  ?  =  0,1 _ n  -  1,  will  denote 

[  \  1  /  J1 . 


Lemma  4.8  Let 


x\  ■  4((y),. ..  ,r„  :  Au(y) 

T>{x,y) 

M(x,y)  :  A(x,y) 


be.  a  To-acceplable  deduction  all  of  whose  undischarged  assumptions  are  among  those 
shown,  where  y  consists  of  all  variables  which  occur  free  in  any  type  or  term  which  are 
not  assigned  supercontexts  as  types  by  IV  For  all  assignments  of  terms  B\, . . . ,  Bm  to 
Vl  i  ■  •  •  1 11m  ( where  for  each  i  =  1,2,...,  m,  it  ran  he  proved  from  I'o  that  if,  is  in  the  type 
assigned  to  j/j)  and  for  all  assignments  of  computability  predicates  J>[/J]),  ....  p[/fm]  to 
B\ , . . . ,  Bm,  if  for  i  =  1,2 the  l'„-acccptablc  deduction 


N,  :  A\(B) 


is  in  C[Ai(y)](p[B]),  then 


N\  :  A\(B)  .  Nn  :  A'„(B) 

P(N,D) 

M(N,D)  :  A(N,D), 


is  in  C[/l(/V,  j/)](p[.D]).n 


Proof  By  induction  on  structure  of  P(x,y). 

Basis: 

Case  1.  P(x,y)  consists  of  the  axiom  (P  T).  Since  this  deduction  is  clearly  SN,  the 
lemma  follows  by  Definition  1.10(h). 

Case  2.  V(x,y)  consists  of  the  assumption  r,  :  /t,(y).  The  lemma  is  immediate. 

Induction  step:  There  are  the  following  cases,  according  to  the  last  inference  in 

Case  I.  The  hist  inference  is  by  (k.k'  Format  ion).  By  Definition  1.19(b).  it  is  suffi¬ 
cient  to  prove  that  (1.8)  is  SN.  By  the  induction  hypothesis  and  Definition  1. 19(b).  (lie 
deductions  of  both  premises  are  SN.  Hence,  (I  S)  is  SN. 

Case  2.  The  last  inference  is  by  (|;<|'k).  Similar  to  Case  1. 

Case  :i.  The  last  inference  is  bv  (Ve).  Then  A/(  x,  y)  >r  A*i  (x.  y)Mn(x,  y). 
A(x,y)  =  /'/'( Af •_.(*,  y),  x,y). 


lt’f.  Iliniltry  K'  Seldiu  [IIS8I»]  1  1ie«ir'*in  A'2.‘i 
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and  V(t,  y)  is 


*i  :  A|(y),...,x„  :  A„(y)  *i  :  A|(y) . xn  ■  An(y) 

V\x,y)  V"(x,y) 

M\{x,y)  :(Vx  :  C(x,y))E(x,x,y)  M2(x,y)  :C(x.,rj) 

M\(x,y)M2(x,y)  :  V(M2(x,y),x,y). 

Subcase  1.  C(x,  y)  is  not  a  context.  Uy  the  induction  hypothesis, 

T>\  Vn 


(Ve) 


Nx  :  A\(Ii)  .  Nn  :  A’n(H) 

V'(N,D) 

Mi(N,D)  :  (Vx  :C(N,D))i;(x,N,D) 


.s  in  C[(Vx  :  C'(N,y))E(x,iV,y)](p[C])  and 


*>.  V„ 

Nj  :A\(H)  Nn  :  A'JII) 

V"(N ,  D) 

M2(N,D):(N,D ), 

is  in  C[C(TV,  y)](p[fl]).  Then  hy  Definition  4.19(d),  (4.8)  is  in  C[E(M'2(N ,  y),  TV,  y)](;»[/i|). 
Subcase  2.  C(x,y)  is  a  context.  By  the  induction  hypothesis, 


Vt  Vn 

/V,  :  A\(ll)  .  Nn  :  <(«) 

T>'(TV,D) 

A/,  (TV,  Z?)  :  (Vx  :  (7(TV,  D))TT(x,  TV,  TJ) 
is  in  C[(Vx  :  C(N,y))E(x,N,y)](p[n])  an. I 


Pi  A, 

N>  :  A\(H)  ,...,  TVn  :  A'n(H) 

V(N,U) 

A/(TV,  77)  :  A(N,D), 

is  iii  C[f '(TV,  y)](y[ZT]).  Then  by  Definition  4.19(e),  for  any  computability  predicate 
/-[.'MTV ,/!)).  (4.8)  is  in  C[Tv(x,  TV ,  ?/)]( /'[ M<( TV ,  TJ)),  |>[/J]).  To  complete  the  proof,  it  is 


sufficient  to  find  a  computability  predicate  p[Mi(N,  {/)]  such  that. 

C[/7(x,  N,  |/)](p[A/2(^ ,  U)],  j>[0])  =  C[l‘;(M,(N,y),N,y))(V[D)).  (4.9) 

A  suitable  such  function  is  the  one  such  that 

p[M2(N,D)  ]  =  C(M2(JV, ,,))(,, (Bj). 

That  this  is  a  computability  predicate  follows  from  Definition  4.18  and  Lemma  4.6.  That 
(4.10)  holds  follows  from  Lemma  4.7. 

Case  4-  The  last  inference  is  by  (V/ii).  Then  A(x,y)  =  (Vz  :  C(x,y))E(z,x,y), 
M(x,y)  is  Xx:C(x,  y)  .  M i(x,x,y),  and  P(x,y)  is 


1 


[a: :  C(a;,t/)],  a;,  :  A|(»/), . . .  :  A„(iy) 

z\  ■  A\(y), . . .  ,x„  :  An(y) 

V'(z,x,y) 

V"(x,y) 

M\(x,x,y)  :  E{x,x, y) 

C(x,y) :  k 

\x-.C(x,y)  .  M|(a,  x,  ;/)  :  (Va;  :  C(-j 

r.,y))E(x,x,y) 

Subcase  l.  C(x,y)  is  not  a  context.  Then  «  S  Prop.  By  the  induction  liy  pot  lies  i: 
all  deductions 

T>"‘ 

r  :C(N,H) 

in  C[C(N ,!,)](, i[B]), 

V"  P, 

n„ 

1’  :  C(N,D)  ,  N\  :  A',(B)  . 

•  ■  N„:A'„{1J) 

p'(r,N,U) 

D)  :  /•;(/’,  JV,B) 

is  in  C [/£(/*.  /V,  jy)](j>[B])  Hence,  l>y  Lemmas  1.4(b)  and  4.5, 


i  p.  r>„ 

\x  :(’•},  N ,  :  :  A* 

P'*(r) 


t>\  n„ 

/V,  :  A\,...,NH  :  A*, 

p"* 


«?(*>:  L”(jr) 


Ar:f*  .  A/,*(j)  :  (Vi-  :  r*)/-;*(.r) 


P 


(V«i  I) 


l>  :  r* 


where  A*  =  A<(B),  Xm  =  X(N,  D),  and  X*(V)  =  X{Y,N,B),  is  also  in  C[E(P,Nty)](r[B]) 
Since  V"  is  arl)it.rary,  this  implies  by  Definition  4.19(e)  that  (4.8)  is  in  C[j4(./V,  y)](p[I7]). 

Subcase  2.  C(x,y)  is  a  context.  Then  n  =  Type.  By  the  induction  hypothesis,  for 
all  deductions 

V'" 

F:C(N,B) 

in  C[C[N  ,y)](p[B])  and  for  all  computability  predicates  p[F], 

V"  V\  T>„ 

F  :  C(N,  B)  ,  Mt:A\(B)  ...  Nn  :  A'n(B) 

V\F,N,B) 

Mi(F,N ,B) :  F(F,N,B) 

is  in  C[Z£(x, /V,y)](p[/,’],p[.B]).  Hence,  by  Lemmas  4.4(b)  and  4.5, 


[,r  :  (•'),  AT,  :  A],...,Nn  :  A'n 
V(r) 

A/C(x)  :  F-(x) 


yv,  :  A\,...,Nn  :  A'n 


C*  .  K. 


Af,*(x)  :  (Vx  :  C‘)F'(x) 


(Ax:  :  C‘)  .  Mj*(x)F  :  h"(F), 

where  A’,  A'*,  and  X‘(Y)  are  as  in  Subcase  1,  is  also  in  C[F’(x,  TV,  y)](p[F],  ;>[/?]). 
Since  V"  ami  p[F]  are  arbitrary,  this  implies  by  Definition  4.19(d)  that  (4.8)  is  in 
C[/l(N,y)](;,[C]). 

Case  5.  The  last  inference  is  by  (10q").  This  is  straightforward  by  Definition  4.19. 
('ase  6.  The  last  inference  is  by  ( ='n ).  This  is  trivial  by  Definition  4.19.  ■ 

Theorem  4.14  (Strong  normalization)  Every  deduction  tn  TAG  is  strongly  normal. 

Proof  In  Lemma  4.8,  let  X>,  consist  of  the  assumption  x,-  :  Ai(y)  and  let  I3j  be  yj .  Then 
for  any  sequence  p(B],  V(x,y)  is  in  C(/l(x,  y)j(p[B]),  and  so  is  SN.  ■ 


4.4  Consequences  of  the  strong  normalization  theo¬ 
rem 

Although  we  have  proved  the  strong  normalization  theorem  for  deductions,  this  theo¬ 
rem  is  usually  proved  for  terms.  We  saw  in  Theorem  2.2  and  Corollary  2.2.1  that  for 
TA,  the  normalization  theorem  for  terms  can  he  proved  from  the  strong  normalization 
theorem  for  deductions  by  using  the  subject-construction  theorem.  We  do  not  have  this 
theorem  for  TAC  in  a  form  that  is  easy  to  state.  Nevertheless,  there  is  a  relationship 
between  terms  and  deductions,  and  we  can  expect  to  use  tiiis  relationship  to  obtain  a 
normalization  theorem  for  terms. 

Theorem  4.15  (Normalization  theorem  for  terms)  lf\'  is  a  well-formed  environ¬ 
ment  and  if 

r  H'AC  a/  :  A, 

then  M  has  a  normal  form. 

Proof  By  Theorem  4.14  there  is  a  normal  deduction  T>  of 

I'  bTAC  N  :  A, 

where  M  C>  N .  The  proof  is  by  induction  on  the  deduction  V. 

Basts:  If  V  consists  of  an  assumption,  then  N  is  a  variable,  and  so  it.  is  in  normal 
form.  If  T>  consists  of  the  axiom  (P  T),  then  N  is  Prop,  which  is  in  normal  form. 

Induction  step:  There  are  the  following  cases,  depending  on  the  last  inference  in  V. 
Case  I.  The  last  inference  is  by  rule  (rcri'l'ormalion).  Then  -d  is  k',  N  is  (Vx  :  Il)C, 
and  V  is 


k  :  "1 

T>Ar) 

C  :  k' 


(Vr  .  !!)(’  : 


rctt'Kormation 


By  the  induction  hypothesis,  B  and  C  have  normal  forms;  hence,  so  does  A. 

Case  S.  The  last  inference  is  by  rule  (I'aj'fi).  Then  by  the  induction  hypothesis,  N 
converts  to  a  term  11  (to  the  left  of  the  colon  in  the  premise)  which  has  a  normal  form. 
Case  3.  The  last  inference  is  by  rule  (Ve).  Then  N  =  BQ.  A  =  \Q/r\C,  and  V  is 


By  the  induction  hypothesis,  P  and  Q  have  normal  forms.  Furthermore,  since  V  is 
normal,  there  is  no  k- red  net  ion  passible  in  it.  It  follows  that  at  the  top  of  the  left  branch 
of  T>  (and  hence  of  T>\ )  is  an  undischarged  assumption.  It  follows  that  P  =.  yQ\  . . .  Qm 
for  some  variable  y.  It  follows  that  Q i, . .  • ,  Qm  all  have  normal  forms,  and  hence  that 
PQ  =.  yQ\  . .  ■  QmQ  does  as  well. 

Case  -f.  The  last  inference  is  by  rule  (V»ci).  Then  A  =  (Vx  :  B)( N  =  A x:B  .  P ,  and 
V  is 

l 

[t  :  /) ) 

P,(x)  V2 

P  :  C  n  :  k 

-  (Vrci  -  1) 

Ax:/)  .  P  .  (Vx  :  B)C. 

By  the  induction  hypothesis,  B  and  P  have  normal  forms;  hence,  so  does  N  =  A x:B  .  I*. 

Case  5.  The  last  inference  is  by  rule  (Eq”).  Then  N  is  the  term  to  the  left  of  the 
colon  in  the  premise,  and  so  by  the  induction  hypothesis  it  has  a  normal  form. 

Case  6.  The  last  inference  is  by  rule  (=£,).  Then  N  is  obtained  by  changes  of  bonnd 
variables  from  a  term  which,  by  the  induction  hypothesis,  has  a  normal  form,  and  so  N 
has  a  normal  form.  ■ 

Note  that  we  have  not  proved  that  every  term  is  SN.  If  we  try  to  replace  the  conclusion 
by  “ N  is  SN”  in  the  above  proof,  we  can  see  that  Case  2  breaks  down,  since  not  every 
term  convertible  to  an  SN  term  is  itself  SN.  Indeed,  if  A  is  SN,  and  if  x  g  FV(/1), 
then  for  any  terms  B  and  C,  (Ax:/)  .  A)C  =.  A\  now  if  C  has  no  normal  form,  then 
(Ax:/)  .  A)C  is  not  SN.  This  shows  that  we  cannot  strengthen  the  theorem  to  prove  that 
;V  is  SN.  (Of  course,  to  prove  that  M  is  SN  is  somewhat  more  complicated;  we  will  take 
this  up  below.) 

It  might  appear  that  since  only  Case  2  breaks  down,  and  since  the  conclusion  in  this 
case  is  not  a  proof,  we  might  want  to  add  the  assumption  that  N  :  A  is  a  proof.  This 
will  exclude  Case  2.  But  now  we  have  trouble  with  Case  d:  we  can  conclude  that  P  is 
SN,  but  not  that  /)  is  SN.  Indeed,  by  the  remarks  of  the  previous  paragraph,  /)  might 
not  beSN. 

Mitchell  (Mit.80)  defines  a  function  Prase  for  TAB  which  deletes  the  types  of  the 
bound  variables.  When  this  function  is  modified  for  TAC,  it  is  defined  as  follows: 

Definition  4.20  (Erase  function)  (a)  h'rasr(u)  =  a  if  a  is  a  constant  or  a  variable; 
(l>)  Erasc{ M  N)  =  Prase( M ) Prasr( N ) ; 

(c)  prasc(\z:A  .  M)  =  Ax  .  Erasc(M)\  and 
(il)  Erasc((six  :  A)B)  s  (Vx  :  Erasr{  A)) Erasr(  H). 

Note  that  except  for  clause  (d),  we  are  mapping  terms  of  TAC  to  pure  A-terms.  In 
fact.  lli«'  range  of  the  function  Erase  is  the  set  of  TAC  terms  (Definition  2.17). 


We  can  now  prove  that  if  A  is  not  a  context  in  the  theorem,  then  Frase(N)  is  SN.  To 
extend  this  result  to  Erase(M),  it  is  enough  to  note  that  deductions  of  proofs  do  follow 
the  constructions  of  the  terms  except  that  additional  inferences  of  formulas  which  arc 
not  proofs  are  added  at  various  places  on  top.  This  will  give  us  the  following  result: 

Corollary  4.15.1  Under  the  hypotheses  of  Theorem  4.15,  if  A  is  not  a  context,  then 
Erase(M)  is  strongly  normal 

There  are  some  further  corollaries  that  follow  immediately  from  Theorem  4.15.  These 
corollaries  are  standard  consequences  of  normalization  theorems. 

Corollary  4.15.2  For  terms  M  and  N  such  that 

T  I-tac  M  :  A, 


and 


V  I-tac  N  :  4, 


where  1’  is  a  well-formed  environment,  it  is  decidable  whether  or  not  M  =.  N. 


Corollary  4.15.3  For  a  terms  M  and  a  well-formed  environment  I’,  it  is  decidable 
whether  or  not  there  is  a  term  A  such  that 


V  I-TAC  M  :  /I. 

We  can  also  prove  a  partial  converse  to  Theorem  4.2,  relating  TAC  to  TAP.  Recall12 
that  the  interpretation  of  types  and  terms  of  TAP  as  terms  of  TAC'  is  defined  as  follows: 
first,  we  divide  the  variables  of  TAC  into  two  mutually  disjoint  classes,  the  first  for 
interpreting  term  variables  of  TAP  and  the  second  for  interpreting  the  type  variables. 
Then,  for  a  term  or  type  A  of  TAP,  we  define  A‘ ,  a  term  of  TAC,  as  follows: 

(a)  if  x  is  a  term  variable,  then  x*  is  a  variable  of  the  first  class  distinct  from  all  variables 
y *  for  term  variables  y  distinct  from  x; 

(b)  if  a  is  a  type  variable,  then  a*  is  a  variable  of  the  second  class  distinct  from  all 
variables  b’  for  type  variables  b  distinct  from  a; 

(b)  (a  — ►  fl)m  is  (Vx  :  nr)*/?*  for  a  (term-)  variable  x  which  does  not  occur  free  in  o’  or 
//*; 

(c.)  ((Va)n)'  is  (Va*  :  Prop)n*; 

(d)  (MN)'  is  AC  AT; 

(e)  (A/n)*  is  A /*«*; 

(f)  Ax:n  .  A-/*  is  Ax*  :  n*  .  A/*;  and 

(g)  A a.M*  is  A«*  :  Prop  .  A/*. 

It  is  easy  to  show  that  if  n  is  any  type-scheme  of  TAP,  then  o*  is  in  normal  form,  and 
that  if  M  is  any  term  of  TAP  which  is  in  normal  form,  then  A/*  is  also  in  normal  form. 
Note  also  that  this  interpretation  takes  any  //"’-contraction  of  TAP  into  a  //-contraction 
of  TAC 

lacf.  Remark  I  an<l  llimllcy  fc  Seldin  (IISS«>|  Tlirorrni  Ifi.fiU 
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Theorem  4.1G  Let  T  be  a  sequence 


x\  :  ai ,  X2  :  o-j,  .  •  • ,  x„  :  a„ 
of  assumptions  in  TAP,  and  let  T*  be 

:  «!,  *2  ■  •••.  K  ■  '*?, 

Let  o  be  any  type  scheme  in  TAP,  let  include  all  of  the  type  variables  whtch 

occur  free  in  ft,  and  let  I’  be 

a\  :  Prop :  Prop. 

IfV  is  a  normal  deduction  in  TAC  of 

r,r'  h  Mm  a\ 

tvhere  M  ts  a  term  of  TAP,  then  there  is  a  normal  deduction  V'  in  TAP  of 

P  h  M  :  <*■ 

Proof  Note  first  that  Lemmas  16. 67  and  16  68  of  Hindley  ii  Scidin  [1IS86]  hold  for  TAC 
as  well  as  for  TAGL;  the  proofs  for  TAC  are  obtained  by  a  minor  change  in  notation 
from  those  for  TAGL. 

The  proof  is  by  induction  on  the  deduction  V.  Note  that  by  hypothesis,  T>  does  not 
consist  of  axiom  (P  T),  and  its  last  inference  is  not  by  any  of  rules  (firc'Formation)  or 
(Eq'rc).  Furthermore,  since  we  are  assuming  that  V  has  been  transformed  according 
to  Theorem  4.1,  we  may  assume  that  the  last  inference  is  not  by  rule  (F,q").  For  the 
types  of  the  assumptions  (both  discharged  and  undischarged)  are  all  in  normal  form, 
and  if  the  types  of  the  premises  of  any  rule  except  (Ve)  and  (Eq")  are  in  normal  form, 
then  so  is  the  type  of  the  conclusion.  With  regard  to  inferences  in  T>  by  rule  (Ve)  the 
left  branch  above  each  such  inference  contains  inferences  only  by  the  same  rule  and  rule 
(Eq  )  and  at  the  top  of  the  branch  is  an  assumption  (since  V  is  normal);  and  it  is  not 
hard  to  see  by  beginning  with  the  assumption  that  because  the  type  of  the  left  premise 
of  each  such  inference  by  rule  (Ve)  is  0*  for  some  TAP  type  scheme  0,  so  is  the  type  of 
the  conclusion.  It  follows  that  each  of  these  types  is  in  normal  form,  and  so  there  is  no 
inference  by  rule  (Eq”)  in  the  branch.  'There  are  the  following  remaining  cases: 

Case  t.  V  consists  of  an  assumption.  Then  M  is  Xi,  a  is  ny,  and  V'  consists  of  the 
corresponding  assumption  in  TAP. 

Case  2.  'The  last  inference  in  V  is  by  rule  (Ve).  'Then  since  V  is  normal,  the  only 
inferences  which  occur  in  the  left  branch  are  by  rules  (Ve).  Furthermore,  M*  is  in  normal 
form.  Now  it  follows  from  this  that  A/*  has  the  form  .  . .  Mr ,  where  r  is  assigned  a 
type  by  the  assumption  at  the  top  of  the  branch  (which  is  not  discharged).  Hence,  x  is 
one  of  the  x*.  Ily  the  definition  of  the  interpretation,  it  follows  that,  each  Mj  is  either 
V*  for  some  'TAP  term  N} ,  in  which  case  the  type  assigned  to  it  is  ->*  for  some  'TAP 
type  scheme  or  else  some  0’  for  some  TAP  type  scheme  0-,  in  which  case  the  type 
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assigned  to  it  is  Prop.  By  the  induction  hypothesis,  there  is  a  normal  deduction  Vj  of 
r  (■  Nj  :  7j  for  each  such  Nj,  and  then  rules  (—  c)  and  (Vc)  of  TAP  can  he  used  to 
obtain  V'  from  the  assumption  Xj  :  «,•  ami  the  deductions  Vj. 

Case  S.  The  last  inference  in  V  is  by  rule  (VPi).  Then  a'  is  (Vx  :  B)C  and  A/*  is 
\x:B  .  N .  By  the  right  premise,  B  is  /?*  for  some  TAP  type  scheme  ft,  and  it  follows 
that  x  is  some  y*,  for  a  'I'AP  term  variable  y,  and  does  not  occur  free  in  C;  furthermore, 
C  is  7*  for  some  TAP  type  scheme  7.  In  addition,  N  is  /•**  for  some  TAP  term  B.  It 
followsthat  if  the  last  inference  is  removed  from  V,  the  result  is  a  normal  deduction  V\ 
of 

r.;/* :  /?*,r'  t-TA<-  r  :7*. 

By  the  induction  hypothesis,  there  is  a  normal  deduction  T}\  of 

Wy  ■  ft  I-tai*  /'  :  7. 

and  V'  is  obtained  by  an  inference  by  rule  (— ►  i). 

Case  4-  The  last  inference  in  V  is  by  rule  (VTi).  Then  «*  is  (Vx  :  B)C  and  M'  is 
Xx  :  B  .  N.  By  the  right  premise,  B  is  Prop.  Hence,  x  is  ft"  for  a  TAP  type  variable  a, 
C  is  ft*  for  some  TAP  type  scheme  ft,  and  N  is  /'*  for  some  TAP  term  P.  It  follows 
that  if  the  last  inference  is  removed  from  V,  the  result  is  a  normal  deduction  Vt  of 

r.r'.a’  :  Prop  |-TA<;  /»*  :  ft'. 

By  the  induction  hypothesis,  there  is  a  normal  deduction  />/  of 


Since  ft  is  (Vo)/?,  V‘  follows  by  an  inference  by  rule  (Vi). 

Case  5.  The  last  inference  in  V  is  by  rule  (~'t).  This  case  is  trivial  since;  the  same 
rule  (essentially)  is  also  a  rule  of  TAP.  ■ 

Corollary  4.1C.1  Ihidcr  the  hy/iollicst-s  of  I  lie  llieotrw,  if  N  =.  M‘  and  if  A  =.  o', 
and  if 

r.V  l-rA(.  /V  :  A, 

then 

I  I  1  Ai>  A /  :  o . 
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4.5  The  theory  of  constructions:  sequent  formula¬ 
tion 

In  this  section  we  shall  consider  an  alternative  formulation  of  the  theory  of  construc¬ 
tions.  It  is  a  variant  of  the  form  in  which  the  theory  was  originally  presented  in  Co- 
quand  [Coq85],  and  is  closer  to  the  presentation  in  other  papers  by  Coquand  and  Huet 
than  is  the  system  TAC. 

As  we  saw  in  the  last  section,  every  rule  which  discharges  an  assumption  of  the  form 
x  :  A  has  a  premise  not  depending  on  this  discharged  assumption  that  is  either  A  :  Prop 
or  A  :  Type.  If  we  wanted  to,  we  could  take  these  premises  as  justifications  for  the 
assumptions  instead  of  premises  for  the  rules;  this  is  the  approach  adopted  by  Martin- 
Lof  in  his  work  (see  his  [Mar75],  [Mar82],  and  [Mar84]).  The  main  reason  this  is  not 
done  in  TAC  is  that  it  would  require  that  premise  to  be  written  above  the  assumption, 
and  then  the  assumptions  would  not  occur  at  the  tops  of  branches,  an  inconvenience 
for  the  theory  of  a  system  such  as  TAC.  But  for  the  form  of  the  theory  of  constructions 
presented  by  Coquand,  it  is  the  most  useful  approach. 

This  form  of  the  theory  of  constructions  is  what  is  known  as  a  sequent  calculus.  A 
sequent  is  an  expression  of  the  form 

1'  (-/•;,  (4.10) 

where  I'  is  a  (possibly  empty)  sequence  of  formulas  and  E  is  a  formula.  This  particular 
sequent  calculus  is  formulated  in  such  a  way  that  the  only  nonempty  sequences  that  can 
occur  to  the  left  of  the  turnstile  (the  symbol  ‘b’)  are  well-formed  environments.  This  will 
make  unnecessary  the  premises  which  “justify”  the  discharged  assumptions;  for  these 
assumptions  will  all  occur  to  the  left  of  the  turnstile  in  the  premises  of  the  rules  and 
will  hence  be  part  of  well-formed  environments,  and  so  these  premises  will  automatically 
hold.  The  fact  that  I’  is  a  well-formed  environment  will  be  equivalent  to  the  derivability 
of  the  sequent 

I’  b  Prop  :  Type. 

The  system  will  be  called  TACS. 

Note  that  until  the  equivalence  of  TAC'  and  TACS  is  proved,  it  will  be  necessary  to 
specify  the  system  with  respect  to  which  an  environment  is  well-formed.  Until  notice  to 
the  contrary  is  given,  a  well-formed  environment  will  mean  with  respect  to  TACS. 

Definition  4.21  (Tho  type  assignment  system  TACS)  The  system  TACS  is  a  se¬ 
quent  calculus;  its  sequent*  are  of  the  form 

r i-  /•;,  (4.ii) 

where  I'  is  a  sequence  of  TAC  formulas  and  K  is  a  TAC  formula.  The  system  has  one 


(1’  1  )  b  Prop  :  Type 
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Us  rules  are  as  follows,  where,  in  each  case,  r  is  a  variable  which  does  not  occur  free  in 
I'  or  in  A,  and  rcis  any  kind: 

I.  Well-formed  environments: 

(Pi)  H-/1:k 

l',x  :  A  h  Prop  :  Type 

II.  Introduction  of  product: 


l',x  :  A  H  II  :  k 
T  I-  (Vx  :  A)H  :  k, 


III.  Introduction  of  a  variable: 


1'  h  Prop  :  Type 


P  T  y  :  A, 


Condition:  y  :  A  occurs 
in  T  and  y  does  not  occur 
free  in  A. 


IV.  Lambda  introduction: 


I',x  :  /lh  M  :  II 
I'  h  Ax:/1  .  M  :  (Vx  :  A)l), 


V.  Application: 


I'b  M  :  (Vx  :  A)H  V  \r  N  :  A 


l'h  MN  :  [Nf  j-]//. 


VI.  Equality  ntlcs: 
(Kc|")  If  A  =.  II,  then 


P  I-  M  :  II 
V  h  M  :  A, 


(KqVc)  If  A  =.  II.  then 


I'  I  II  :  u 
A  :  k 


VII.  Changes  of  hound  variables: 
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//  ./V  rs  obtained  from  M  by  changes  of  bound  variables,  then: 

1’H  M  :  A 
FP  N  :  A. 

We  shall  now  establish  the  equivalence  of  TAGS  and  TAG: 

Lemma  4.9  If  F  Ptacs  E  for  any  formula  E,  and  if  F'  r.s  any  initial  segment  of  P 
( possibly  including  F  itself),  then  each  derivation  of  T  Ptacs  E  contains  a  subderivation 
of  r'  Ptacs  Prop  :  Type. 

Proof  By  induction  on  the  derivation  of  P  Ptacs  E. 

Basis:  If  P  PTACs  E  is  the  axiom  (P  T),  then  P'  is  empty,  and  the  result  is  trivial. 
Induction  step:  We  assume  the  property  for  each  premise  of  a  rule  and  prove  it  for 
the  conclusion. 

If  the  sequence  to  the  left  of  P  in  the  conclusion  is  an  initial  segment  of  that  of  at 
least  one  premise,  this  is  trivial.  This  takes  care  of  all  rules  except  (Pi).  In  this  case, 
r  is  Tj,  A  :  Prop,  and  E  is  Prop  :  Type.  If  F'  is  all  of  T,  then  the  entire  deduction  is 
what  we  seek.  Otherwise,  F'  is  an  initial  segment  of  Ft,  and  the  result  is  trivial  by  the 
induction  hypothesis.  ■ 

Lemma  4.10  If  P  Ptacs  Prop  :  Type,  then  r  is  a  well-formed  environment. 

Proof  By  induction  on  the  pair  (n,m),  where  n  is  the  number  of  formulas  in  P  and  m 
is  the  length  of  the  derivation  of  P  P-i  acs  Prop  :  Type. 

Basis:  Trivial,  since  P  is  empty. 

Induction  step:  Assume  the  lemma  for  any  initial  subsequence  P,  and  suppose 
that  T  is  F',x  :  A.  By  the  induction  hypothesis,  P'  is  a  well-formed  environment.  Now 
the  only  rules  of  which 

P,,x  :  A  P tacts  Prop  :  Type 

can  be  the  conclusion  are  the  equality  rules  and  (Pi).  If  the  rule  is  an  equality  rule,  then 
by  Lernma  4.9  there  is  a  subderivation  of  (  lie  derivation  of  the  premise  of  the  inference 
which  is  a  derivation  of 

F',  r.  :  .4  Ptacs  Prop  Type 

and  so  the  conclusion  follows  by  the  induction  hypothesis;  if  the  rule  is  (Pi),  then  it 
follows  that  t  does  not  occur  free  in  P'  or  in  A  and  that 

P’  Ptacs  d  :  *.. 

Since  F'  is  a  well  formed  environment,  this  implies  that  P  is  as  well.  ■ 

Lemma  4.11  If  P  Ptacs  E,  then  P/s  u  well-formed  environment. 

Proof  Lemmas  1.9  and  4.10  ■ 

no 


Theorem  4.17  There  is  a  foimula  E  such  lhal  F  I~tacs  E  if  <*»</  onh  if  T  is  a  well- 
formed  environment. 

Proof  The  “only  if”  part  is  Lemma  4.11.  Tin;  “if”  part  is  easy  using  the  axiom  and 
rules  (Pi)  .  ■ 


We  are  now  in  a  position  to  prove  the  equivalence  between  TAC  and  TAOS. 


Theorem  4.18  If 


1'  P  TAGS  E, 


then 


I'  t-TAC  E. 


(412) 

(1.13) 


Proof  By  induction  on  the  derivation  of  (4.12). 

Basis:  (4.12)  is  axiom  (P  T).  Then  I'  is  empty,  E  is  Prop  :  Type,  and  (4.13)  holds  by 
axiom  (P  T)  in  TAC. 

Induction  step:  The  cases  are  by  the  last  rule  used  in  the  derivation  of  (4.12). 

Case  (Pi).  Trivial. 

Case  (Vi).  E  is  (Vx  :  A)B  :  a,  where  x  does  not  occur  free  in  A  or  I',  and  the  premise 


By  the  induction  hypothesis, 


I',*  :  A  H'i'ac  II  ■  A’. 

Furthermore,  by  Theorem  4.17,  l',x  :  A  is  a  well-formed  environment  (with  respect  to 
TACS).  This  means  that  the  derivation  of  (4.12)  includes  a  subderivation  of 

I'  1" tags  >4  :  k'. 

Hence,  again  by  the  induction  hypothesis, 

l'  1'tac  cl  :  k'. 

Hence,  (4.13)  follows  by  (kk1  For  mat  ion). 

Case  (Pe).  Trivial  by  the  conventions  of  natural  deduction  systems. 

GVis,  (Ai).  Similar  to  Case  (Vi),  using  (Vrci). 

Case  (Ve).  E  is  At N  .  [N/j:\II,  and  the  premises  arc 

1'  Ftacs  M  ■  (■  and  I'  h  tags  N  :  A, 

where  C  =.  (Vx  :  A) II.  By  the  induction  hypothesis 

I'  I- tac  hi  .  (■  and  F  Ftac  N  :  A. 


(4.13)  then  follows  by  rules  (Fq")  and  (V  e). 
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Case  (Eq").  'trivial  by  rule  (Eq"). 

Case  (Eq'rc).  'Trivial  by  rule 
Case  (=„).  'Trivial  by  rule  (='n).  ■ 

For  the  converse  we  have: 

Theorem  4.19  If  Fis  a  well-formed  environment,  and  i/(4.13)  holds,  then  (4.12)  holds. 

Proof  Hv  induction  on  the  proof  of  (4.13). 

Basis:  If  (4.13)  is  axiom  (P  T),  then  (4.12)  follows  by  axiom  (P  T). 

Induction  step:  The  cases  are  by  the  last  rule  in  the  deduction  of  (4.13). 

Case  (KK'Porination).  (4.13)  is 

r  Ft  AC  ((Vx  :  A))H  : 

where  x  does  not  occur  free  in  A  or  in  l\  'The  premises  are 

T  Ptac  <4  :  k  and  l\x  :  A  Ftac  1'  :  k'. 

Hence,  l',z  :  A  is  a  well-formed  environment  (with  respect  to  TAC),  and  so  by  the 

induction  hypothesis 

Y,x  :  A  hr acs  F  :  «'• 

Hence,  (4.12)  follows  by  (Pi). 

Case  (V  e).  (4. 1 3)  is 

r  h'lAc  MN  :\N/x]B, 

where  the  premises  are 

V  h'r.AC  A/  :  (Vj:  :  A)  II  and  F  h t ac  N  '■  A. 

Hy  the  induction  hypothesis, 

!'  hrAcs  M  :  (Vr  :  A)  II  and  T  hTAcs  N  ■  A. 

Hence,  (4.12)  follows  by  rule  (V  e). 

Case  ( Vrc i ) .  (4.13)  is 

I'  hTAc  A r  A  .  A/  :  (Vj:  :  A)ll, 

where  the  premises  are 

I  ,r  :  .4  h'i'Ai '  A/  1'  and  1‘  h  pac  A  .  n, 

where  x  does  not  occur  tree  in  A  or  in  T.  It  follows  that  I',  x  :  A  is  a  well-formed 
environment  with  respect  to  TAC,  and  so  by  the  induction  hypothesis, 

\\x  .4  I  ta.  s  A/  :  H 

Ib’llCe,  (4  12)  lolloWs  by  rule  (  A I ) 

(  ’nst  s  ( I  ■  |" ) .  (  F.q’/i).  and  (  .  I  rivi.il  by  I  lie  cm  responding  rules  ill  TAt'S.  ■ 
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Theorem  4.20  4  necessary  and  sufficient  condition  that  (4.12)  hold  is  that  1'  be  a 
well-formed  environment  (with  respect  to  TAC)  and  that  (4.13)  hold.13 

Proof  Theorems  4.18  and  4.19.  ■ 

Corollary  4.20.1  An  environment  1'  is  well-formed  with  respect  to  TA('  if  and  only  if 
it  is  well-formed  with  respect  to  TA(’S. 

For  this  reason,  we  shall  no  longer  specify  the  system  with  respect  to  which  an  en¬ 
vironment  is  well-formed. 

Remark  The  system  TAGS  is  slightly  more  general  than  the  sequent  version  of  the 
theory  of  constructions  presented  by  Coquand  and  11  net  in  that  its  equality  rules  are 
more  general.  To  obtain  a  natural  deduction  system  equivalent  to  lluet’s  system,  the 
rules  (Eq'*c)  must  be  deleted,  rule  (Eq")  must  be  replaced  by  the  two  more  restricted 
rules 

M  :  A  B  :k  A  =.  Jt 

M  :  B, 

and  rule  (='a)  must  be  generalized  to  allow  changes  of  bound  variables  in  both  parts 
of  a  formula  M  :  A.  The  corresponding  changes  in  TACS  include  introducing  equality 
rules  corresponding  to  those  given  above,  and  modifying  rule  (=*)  accordingly.14 


■  [rot87J  pro|x>srs  a  s«|iirnt  formulation  that  is  « loser  to  I  AC  than  is  I  AC’S  and  Itrlps 
the  equivalence.  In  Pottinger’s  system,  which  lie  calls  TOC  1,  rules  (Prm  i)  and  (Vi) are 
>«t  lively,  by  Ilyp  (I'h  A  :  k  =>  l\ r  :  A  h  r  :  A)  and  Heit  (V  h  HkV,F  h  C»  =>  I\  /•  f-  /*,’). 
ves  that  TOC  I  is  equivalent  to  TAOS  (which  he  calls  TOO  2).  Since  Pot  linger’*  TOC  1  is 
sion  of  TAC  in  the  style  of  Fitch  |F»tf>2],  Pot  linger* s  equivalence  result  can  he  considered 
of  this  theorem. 

*'»  'I'OC  1  (see  the  previous  footnote)  actually  uses  this  more  restricted  version  of  the 
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Chapter  5 

REPRESENTING  LOGIC 
AND  MATHEMATICS  IN 
THE  THEORY  OF 
CONSTRUCTIONS 

It  is  now  time  to  show  that  the  theory  of  constructions  can  be  a  useful  basis  for  the 
ULYSSES  system,  and  to  show  that  we  can  represent  many  important  concepts  from 
logic  and  mathematics  in  the  theory. 

This  representation  has  actually  been  done  by  Coquand  and  Iluet1.  However,  their 
presentation  consists  of  little  more  than  definitions  and  examples,  and  so  a  number 
of  people  have  doubted  the  power  of  the  theory.  Here,  in  addition  to  the  important 
definitions  and  examples,  we  shall  look  at  some  proof-theoretic  consequences  of  the 
strong  normalization  theorem  to  show  that  these  concepts  behave  the  way  we  want 
t  hem  to. 

We  begin  in  Section  5.1  with  the  representation  of  propositional  and  predicate  logic 
with  equality.  In  Section  5.2  we  discuss  the  addition  of  axioms  to  the  system  and  how  this 
might  affect  consistency.  Then,  in  the  remaining  sections,  we  take  up  the  representation 
of  arithmetic,  elementary  set.  theory,  functions,  and  lists. 


5.1  Representing  logic  with  equality 

We  have  already  discussed  representing  the  connectives  and  quantifiers  of  logic  in  TAP 
(Section  2.4)  and  TAT  (Section  3.6).  Since  TAP  can  be  interpreted  in  the  theory  of 
constructions  (by  Theorem  4.2),  we  can  use  those  same  definitions.  It  will  be  convenient 
to  repeat  the  appropriate  definitions  hero.  They  are  taken  practically  word-for-word 
from  Section  3.6,  but  a  notation  more  suggestive  of  logic  will  be  used. 

To  use  these  definitions,  we  need  the  arrow,  or  function-space,  type.  This  now 
becomes  the  implication  proposition  operator: 

Definition  5.1  (Implication  proposition  operator)  The  term  F  is  defined  as  fol¬ 
lows: 

F  =  AteProp  .  AieProp  .  (Vr  :  u)v. 

VVe  use  either  A  — ♦  B  or  A  3  li  as  an  abbreviation  for  FA/J,  depending  on  the  context. 

It  is  easy  to  show  that  — ♦  satisfies  the  rules  (— *  e)and  {  i).  'Phis  means,  of  course, 

that  3  satisfies  rules  (3  c)and  (3  i). 

Definition  5.2  (Cartesian  product  proposition)  The  conjunction  proposition  op¬ 
erator  and  its  associated  pairing  and  projection  operators  are  defined  as  follows: 

(a)  A  =  Au:Prop  .  Av:Prop  .  (Vu>  :  Prop)((ti  —  v—  w)  — »  «•); 

(b)  D  ~  Au:Prop  .  Atr.Prop  .  Xx:u  .  Xy:v  .  Xw.Prop  .  X z:v  —  v  — ►  tit  .  zx y\ 

(c)  fst  =  Au:Prop  .  Au:Prop  .  XxAuv  .  xu(Xy:u  .  Ar.tt  .  y);  and 

(d)  snd  =  Au:Prop  .  AttProp  .  Ax:A uv  .  xv(Xy:u  .  Xz:v  .  z). 

We  use  A  A  B  as  an  abbreviation  for  A  AH. 

It  is  not  at  all  difficult  to  prove  from  these  definitions  that  if  A  :  Prop  and  li  :  Prop 


and 

Furthermore,  it  is  easy  to  see 


0  Alt  :  A-  +  It  —  A  All, 
fst  A  It  :  A  A  li  —  A, 

snd  AH  :  A  A  li  —  li. 
that  if  At  /l  and  ;V  ;  //,  then 


and 


fst All(n All M  \)  M 
sndAli(DAHAI  A')  ,\ . 


Definition  5.3  (Disjunction  proposition  operator)  The  disjunction  proposition 
operator  ami  its  associated  injection  and  rase  operators  are  defined  as  follows: 

(a)  V  =  Atr.Prop  .  Atr.Prop  .  (Vtt>  :  Prop)((n  —  nj  *  ((t>  —  u>)  «•)); 

(l>)  ini  =  Att:Prop  .  AteProp  .  Xx.u  .  Ate  :  Prop  .  Xf  .it  —  te  X<j:v~-  w  .  fx\ 


to 


.VA"- 


(c)  inr  =  AuiProp  .  AteProp  .  Xy:v  .  AiteProp  .  Xf.u  — *  w  .  Xgv  -*  w  ■  gy\  and 

(d)  case  =  AurProp  .  AuiProp  .  A z:\fuv  .  AueProp  .  A f:u  — *  w  .  Xg:v  — » w  .  zwfg. 
We  use  4  V  B  as  an  abbreviation  for  V AH. 


It  is  easy  to  show  that  if  A  :  Prop  and  B  :  Prop,  then 

ini /ID  :  A  — *  A  V  B, 
inr 4/3  :  /j  —  4  V  B, 

and 

cas tAB  :  A  V  B  — ♦  (Vi n  :  Prop)((4  — ►  w)  — >  ((/3  —♦«/)—♦  te)). 

Furthermore,  it  is  easy  to  show  that  if  C  :  Prop,  M  :  A,  N  :  B,  F  :  A  — *  C,  and 
G  :  B  —*  C,  then 

case  4  /3(  in  1 4  /3  M  )C FG  =.  FM 

and 

case4B(inr4/3/V)CFG  =.  GN. 

Definition  5.4  (False  proposition)  _L  =  (Vx  :  Prop)x. 

With  regard  to  the  existential  quantifier,  we  are  now  in  a  position  to  remove  an 
anomaly  from  Definition  3.16.  For  we  now  have  the  machinery  to  refer  to  functions 
whose  values  are  types. 

Definition  5.5  (Existential  quantifier)  The  existential  quantifier  proposition  oper¬ 
ator  a.nd  its  associated  pairing  and  projection  functions  are  defined  els  follows: 

(a)  H  =  Au:Prop  .  A v:u  — *  Prop  .  (Vw  :  Prop)((Vx  :  u)(vz  — *  w)  — ►  w)\ 

(b)  D'  =  Au:Prop  .  A v:u  — <■  Prop  .  Ax:u  .  Xy.vx  .  Aw:Prop  .  Az:(Vx  :  u)(vi  — ►  w)  .  zxy\  and 

(c)  proj  =  AteProp  .  Atitu  — ♦  Prop  .  AticProp  .  A z:(Vx  :  u)(vx  — >  w)  .  X t/:(Vx  :  u)ux  .  ywz. 
We  use  (3x  :  A)B  as  an  abbreviation  for  'LA(XxA  .  /3). 

It  not  hard  to  show  that  if  4  :  Prop  and  B  :  4  — *  Prop,  then 

(3x  :  A)B  :  Prop, 

D'AB  :  (Vu  :  4)(/3u  -  (3x  :  4)(Z3x)), 

and 

proj4/3  :  (Vx  :  4)((Vu  :  4)(V?>  :  Bn)x  —  (3?n  :  4)(  Bw)  — *  x). 

Furthermore,  if  in  addition  C  :  Prop,  M  :  4,  N  :  BM ,  and  Z  :  (Vu  :  A)(Bu  — »C),  then 

proj4/3( 'Z(D'ABMN)  =.  ZMN. 

Note  that  D'  differs  from  D  only  in  the  types  postulated  for  some  of  the  bound 
variables.  Hut  this  difference  is  enough  to  make  it  impossible  to  define  a  right  projection 
for  D'  that  is  correctly  typed". 

We  can  also  define  equality  over  any  type: 

■’On  this  point,  s ee  [CarStt].  Of  course,  1st  works  ;is  a  left  projection  function  for  Df 
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Definition  5.6  (Equality  proposition)  The  equality  proposition 

M=a  N, 

where  A  is  assigned  type  Prop,  is  defined  to  be 

QAMN, 

where 

Q  =  Au:Prop  .  A x:u  .  Xy:u  .  (Vz  :  u  — *  Prop)(zz  — *  zy). 

It  is  not  hard  to  show  that  if  A  :  Prop  and  X  :  A,  then 

A  z:A  — *  Prop  .  At t:zX  .  u  :  X  =A  X, 

and  that  if  in  addition  Y  :  A,  M  :  X  —A  Y,  Z  :  A—*  Prop,  and  N  :  ZX,  then 

MZN  :  ZY. 

This  gives  us  the  reflexive  law  of  the  equality  proposition  and  the  substitution  prop¬ 
erty;  these  two  properties  are  well  known  to  imply  all  the  usual  properties  of  equality. 

It  is  not  hard  to  see  from  this  that  we  have  all  the  usual  properties  of  constructive 
predicate  logic  with  equality. 

We  can  also  interpret  classical  logic.  One  interpretation3  is  based  on  the  following 
easily  proved  facts  about  intuitionistic  logic: 

h  — >v4  D  ->A, 

->->A  D  A,  ->-'B  D  B  h  A  B)  D  (A  A  B), 
and 

D  A(x)  h  ->-<(Vz)A(z)  D  (Vz)i4(z). 

Results  corresponding  to  these  can  easily  be  proved  in  the  theory  of  constructions.  This 
means  that  for  formulas  A  which  are  classical,  that  is  for  which  h  ->-iA  D  A,  the  logic 
is  classical.  Furthermore,  all  negative  formulas  are  classical  and  both  A  and  V  preserve 
classical  formulas.  For  other  classical  connectives  and  the  existential  quantifier,  we  can 
use  their  familiar  classical  properties  to  define  them: 

A  Dc  B  =  -■(  A  A  -<B), 

A  V,  B  =  -(->1  A  ->B), 

and 

(3cz  :  A)B  =  ->(Yx  :  A)->B. 

Since  these  are  all  negative  formulas,  they  are  all  classical. 

3 See  [CH]  §3.3,  where  this  is  done  for  pro|>ositi<inal  logic. 
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It  is  not  hard  to  prove  that  if  A  is  classical  (in  a  well-formed  environment  I'),  then 
there  is  a  term  M  all  of  whose  free  variables  are  assigned  types  in  T  such  that 

r  Htac  M  :  ->AVC  a. 


A  second  method  of  interpreting  classical  logic  is  as  follows:  define 


Bool  =  (Vu  :  Prop)(u 
T  =  Au  :  Prop  .  Xx  :  u  .  Xy  :  u  .  x, 


F  =  Au  :  Prop  .  Xx  :  u  .  Xy  :  u  .  y. 

Here,  Bool  represents  the  boolean  type  familiar  from  the  usual  programming  languages, 
and  T  and  F  for  the  familiar  truth  values.  The  familiar  if  ...  then  . . .  else 
operator  is  defined  as  follows: 

Cond  =  An  :  Prop  .  Ati  :  Bool  .  Xx  :  u  .  Xy  :  u  .  vuxy. 

It  is  easy  to  prove  that  T:Bool  and  F:Bool  and,  if  A  is  any  type  in  Prop  and  M  :  A  and 
N  :  A,  then 

CondATMW  =,  M 


CondAFMW  =.  N. 

The  propositional  connectives  familiar  to  most  programmers  can  now  be  defined: 

->k  =  Xx  :  Bool  .  Cond  BooIxF  T, 

A*  =  Ax  :  Bool  .  -ifrxBool  F, 


V*  =  Aj:  :  Bool  .  xBool  T. 


It  is  (hen  easy  to  prove  the  following: 


t  T  =•  F 


A/tTT  =.  T 
A* FT  =.  F 
v,TT  =.  T 
Vi-FT  T 


“■fcF  =.  T 
A*TF  =.  F 
A*FF  =.  F 
Vt.TF  =.  T 
V*  FF  =.  F 
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We  cam  then  get  implication  as  usual  by  defining 

Dk  =  Ax  :  Bod  .  Ay  :  Bool  .  -i*(x  At  ->*y), 

and  its  usual  truth  table  properties  will  follow. 

In  this  formulation  of  classical  logic,  a  proof  of  a  proposition  A  is  not  a  term  with 
that  proposition  as  its  type,  but  rather  a  term  with  the  type  A  =b0oI  T.  Thus,  unlike 
the  first  interpretation  of  constructive  logic,  this  interpretation  is  based  on  a  different 
set  of  terms  to  represent  the  propositions.  In  fact,  it  is  based  on  the  idea4  that  there 
are  only  two  propositions,  T  and  F. 

Extending  this  second  interpretation  to  quantifier  logic  is  a  bit  complicated.  The 
obvious  way  to  proceed  is  to  assume  that  we  have  a  propositional  function  A  over  some 
domain  D,  which  is  a  type.  In  this  case,  this  means  that  A  :  D  —>  Bod.  We  would  want 
(V**  :  D)(Ax)  to  be  T  if  and  only  if  AM  is  T  for  every  M  :  D  and  to  be  F  otherwise; 
but  this  specification  assumes  classical  logic,  whereas  the  type 

(V*  :  D)(Ax  —Boot  T) 

is  treated  constructively  by  TAC,  and  in  general  there  is  no  term  with  the  type 

(V*  :  D)(Ax  =B.o.  T)  V  (3x  :  D)(Ax  F). 

One  possible  solution  is  to  use  the  first  interpretation  of  classical  logic,  and  replace  3  by 
3C.  But  this  will  only  work  if  D  is  a  type  for  which  there  is  a  term  of  type 

(Vx  :  D)(-i->Ax  =Boot  T  3  Ax  =B.oi  T). 

A  third  possible  method  of  interpreting  classical  logic  is  to  add  a  new  axiom  by- 
assigning  to  an  atomic  constant  the  type 

(Vu  :  Prop)(-«u  V  u). 

We  will  have  more  to  say  about  this  in  Section  5.2. 


‘Originally  due  to  Frege. 
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5.2  Adding  axioms  to  the  theory  of  constructions 

As  we  have  seen,  when  logic  is  represented  in  the  theory  of  constructions  is  that  the 
formulas  are  all  represented  by  types  in  Prop;  the  terms  in  these  types  will  represent 
proofs.  One  consequence  of  this  is  that  assuming  a  new  axiom  A  will  mean  taking  a 
new  atomic  constant  c  and  adding  c  :  A  as  a  new  assumption  to  the  environment. 

Now  the  way  we  have  proved  the  strong  normalization  theorem  in  Chapter  4  guaran¬ 
tees  that  such  constants  can  be  added  without  interfering  with  the  proof  of  the  theorem 
provided  that  these  new  constants  do  not  occur  at  the  heads  of  new  redexes.  But  this  is 
just  the  way  new  axioms  are  added.  Thus,  adding  new  axioms  does  not  have  any  effect 
on  the  strong  normalization  theorem. 

But  adding  new  axioms  may  well  affect  the  consistency  of  the  system.  Suppose,  for 
example,  we  assume  c  :  _L.  This  amounts  to  assuming  as  an  axiom  _L,  i.e.,  to  assuming 
the  inconsistency  of  the  system.  This  is  one  way  in  which  the  theory  of  constructions 
differs  from  the  second  order  polymorphic  typed  A-calculus:  in  the  latter,  Theorem  2.4 
shows  that  the  strong  normalization  theorem  implies  both  the  consistency  of  the  entire 
system  and  of  any  set  of  assumptions5,  whereas  in  the  former,  as  we  have  seen,  the 
strong  normalization  theorem  does  not  imply  the  consistency  of  all  sets  of  assumptions. 

The  strong  normalization  theorem  does,  however,  imply  the  consistency  of  the  empty 
environment,  and  thus  of  the  system  TAC  itself: 

Theorem  5.1  (Consistency  of  TAC)  There  is  no  closed  term  M  such  that 

l~TAC  M  :  1. 

Proof  Similar  to  the  proof  of  Theorem  2.4.  ■ 

Note  that  this  proves  the  consistency  of  the  higher-order  constructive  and  classical 
logic  of  the  previous  section. 

Although  the  strong  normalization  theorem  does  not  imply  the  consistency  of  all  sets 
of  assumptions,  it  does  imply  the  consistency  of  some  particular  sets  of  assumptions. 
For  example,  suppose  f  is 


xj  :  ~>i4i,  X2  :  -,'42, . . . ,  x„  :  - 'An , 

where  ->A  is  defined  to  be  A  D  -L.  To  show  that  T  is  consistent  it  is  sufficient  to  show 
that  there  is  no  closed  term  M  for  which 

T  Ftac  M  :  Ai 

for  any  i.  As  an  example,  let  us  prove  that  negations  of  equations  between  terms  with 
distinct  normal  forms  are  consistent  if  there  arc  no  other  assumptions. 

“'Of  course,  if  we  allowed  new  constants  in  TAP,  we  would  get  the  same  sort  of  possibilities  for 
inconsistency  that  we  have  in  the  theory  of  constructions. 
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Theorem  5.2  (Q-consistency6)  Let  V  be  a  set  of  assumptions  in  which  each  formula 
assigns  to  a  rm  (distinct)  constant  a  type  which  converts  to  the  form  ->P  =  A  Q  for  terms 
P  and  Q  of  type  A  with  distinct  normal  forms.  Suppose  that  there  is  a  closed  term  R 
such  that 

r  t-TAC  R  :  M  =A  N. 


Then 


M  =.  N. 


Proof  Let  V  be  a  deduction  in  normal  form  of 


r  l-TAC  R:M=a  n. 


Without  loss  of  generality,  we  may  suppose  that  V  does  not  contain  a  proper  subdeduc¬ 
tion  with  a  conclusion  of  the  same  form.  Suppose  that  the  last  inference  in  V  (except  for 
equality  rules)  is  by  (V  e).  Because  V  is  normal,  the  only  inferences  in  the  left  branch  of 

V  are  (V  e)and  (Eqw).  Consider  the  formula  at  the  top  of  the  left  branch  of  V.  Because 
of  the  form  of  V  and  of  the  rules  of  TAC,  this  formula  is  not  a  discharged  assumption. 
If  it  is  a  formula  of  T,  then  the  deduction  of  the  minor  (right)  premise  for  the  inference 
by  (V  e)  of  which  the  formula  in  question  is  the  major  (left)  premise  is  a  proper  subd¬ 
eduction  of  V  whose  conclusion  has  the  same  form  as  the  conclusion  of  V,  contrary  to 
hypothesis.  Hence,  it  must  be  an  undischarged  assumption.  But  then  the  term  of  that, 
formula  to  which  the  type  is  assigned  is  a  variable  x,  and  R  xR\  Ro ...  R„,  contra¬ 
dicting  the  assumption  that  R  is  closed.  Hence,  the  last  non-equality  inference  in  V  is 
not  by  (V  e). 

Since 

M  =a  N  =.  (V~  :  A  -  Prap)(zM  —  zN), 

it  follows  that  that  last  non-equality  inference  is  by  (VTi),  R  =  Az  :  A  — >  Prop  .  P,  and 

V  has  the  form7 


1 


[z  :  A  —< *  Prop] 

2),(r)  Prop  :  Type  A  :  Prop 

-  (V  e) 

P  :  zM  —i *  zN  A  — *  Prop  :  Type 

- (VJi  —  1) 

\z  :  A  — ►  Prop  .  P  :  (Vc  :  A  —  Prop)(;A/  —►  ;JV), 


where  z  is  a  variable  which  does  not  occur  free  in  1',  A/,  or  N .  An  argument,  similar  to 
the  above  argument  for  V  shows  that,  the  last  non-oq  inference  in  V\ (z)  is  not  by  (V  e), 
provided  that  at  the  end  of  the  argument  we  note  that  although  ;  may  occur  free  in  P. 
since  z  does  not  occur  free  in  I'  it  can  only  occur  free  in  the  discharged  assumption,  and 

cThis  term  is  due  to  Curry:  see  [CK58]  ijSIvt,  |>.  270. 

7Pos*ibly  mod 1 1 to  some  manipulation*  involving  rules  ( Iv/P),  (Ivi'T),  and  ( I'.'l" ) :  wr  will  not  bother 
to  mention  this  fart  again  in  what  follows. 


the  type  assigned  to  2  by  that  assumption  makes  it  impossible  for  it  to  occur  at  the  top 
of  the  left  branch  in  T>\ (2).  Hence,  the  last  non-eq  inference  in  T>i(z)  is  by  rule  (VPi), 
P  Aw  :  zM  .  Q ,  and  T>\(z)  has  the  form 


2 

[te  :  zM] 
V2{w) 
Q  :  zN 


z  :  A—*  Prop  M  :  A 

zM  :  Prop 


(-  e) 


Aui  :  zM  .  Q  :  zM  — *  zN , 


(VPi  -  2) 


where  w  is  a  variable  distinct  from  2  which  does  not  occur  free  in  T,  M,  or  N.  By  an 
argument  similar  to  that  above,  the  last  inference  in  V? (tit)  is  not  by  rule  (V  e).  Further¬ 
more,  any  deduction  of  Q  :  zN  must  use  the  hypothesis  w  :  zM .  Since  t>2(w)  is  normal 
and  zM  and  zN  are  simple  types,  it  is  not  hard  to  see  that  the  only  rule  that  can  occur 
in  Vn{w)  is  (Eq"),  from  which  it  follows  that  Q  =  w  and,  more  important,  M  N .  ■ 


Corollary  5.2.1  1/V  is  as  in  the  theorem,  then  it  is  consistent;  i.e., 

I  I/tac  -L. 

I'his  theorem  can  be  generalized  somewhat.  For  example,  if  the  types  of  the  vari¬ 
ables  are  suitably  restricted  to  prevent  substitution  instances  of  P  and  Q  which  are 
convertible  to  each  other,  it  is  presumably  possible  to  prove  a  version  of  the  theorem  for 
universally  quantified  inequalities  or  for  implications  whose  consequents  are  inequalities. 
Furthermore,  as  we  shall  see  in  the  next  section,  it  is  possible  to  prove  a  similar  theorem 
for  a  universally  quantified  inequality  together  with  a  universally  quantified  implication 
between  equalities  in  which  it  can  be  shown  that  if  the  terms  in  the  antecedent  have 
distinct  normal  forms,  then  so  do  the  terms  in  the  consequent. 

At  the  end  of  Section  5.1,  we  noted  that  we  can  obtain  classical  logic  by  taking 
(Vu  :  Prop)(-iu  V  u)  as  a  new  axiom;  i.e.,  by  assuming 

c  :  (Vu  :  Prop)(->u  V  u), 

for  an  atomic  constant  c.  We  need  some  evidence  that  adding  this  assumption  does  not 
introduce  inconsistency.  Of  course,  if  we  start  with  assumptions  which  are  inconsistent, 
with  the  law  of  the  excluded  middle,  then  adding  this  assumption  will  lead  to  a  contra¬ 
diction.  But  in  most  known  systems  without  such  assumptions,  the  consistency  of  the 
constructive  version  of  the  system  is  well-known  to  imply  the  consistency  of  the  classical 
version.  This  makes  it  likely  that  adding  this  assumption  to  most  consistent  well-formed 
environments"  will  not  make  the  environment  inconsistent. 


I  i't.a'l  *'| 


-  •  a'l  «' 


Remark  We  have  looked  here  at  adding  constants  that  do  not  head  redexes.  In  general, 
when  we  want  a  new  redex,  we  define  a  closed  term  that  can  be  shown  by  an  ordinary 
/^-reduction  to  head  the  required  redex.  This  does  not  mean  that  using  such  a  definition 
is  the  most  efficient  way  to  implement  the  system.  It  does,  however,  show  that  adding 
the  new  constant  and  reduction  rule  will  not  upset  the  strong  normalization  theorem, 
since  any  infinite  reduction  using  the  new  constant  and  reduction  rule  will  imply  the 
existence  of  an  infinite  reduction  from  ordinary  /Treduetion  using  the  closed  term  which 
can  be  shown  to  have  the  same  reduction  rule. 
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5.3  Representing  arithmetic 

As  we  saw  in  Section  2.4,  we  can  easily  represent  the  natural  numbers  in  TAC.  If  this 
definition  is  modified  for  TAC,  it  becomes  the  following: 

Definition  5.7  (Natural  number  type)  (a)  N  =  (VA  :  Prop)((A  — *  A)  — *  (A  — *  A)); 

(b)  0  =  AA:Prop  .  Xx:A  — *  A  .  Xy:A  .  y; 

(c)  <r  =  Au:N  .  A  A  :  Prop  .  A  x:A  — ►  A  .  Xy:A  .  x(uAxy)\ 

(d)  n  =  Xu.N  .  sndm  n(u(N  x  N)  Q(Dn,nOO)), 

where  Q  =  Xv  :  N  x  N  .  DNiN(<r(fstN  Nti))(fstN  Nt));  and 

(e)  R  =  AA  :  Prop  .  A x:A  Ay:N  — ►  A  — *  A  .  Az.N  .  z(N  — >  A)lJ(Xw  :  N  .  x)z , 
where  P  =  Au  :  N  — *  A  .  Xw  :  N  .  t/(jrte)(t(rri/>)) 

The  term  n,  which  represents  the  natural  number  n,  is  defined  to  be 

a(tr(.  ,.(<r0)...)). 

where  there  are  n  occurrences  of  a. 

As  we  saw  above,  it  is  not  hard  to  show  that 

0  :  N, 

<r  :  N  —  N, 

7T  :  N  —>  N, 

and 

R  :  (VA  :  Prop)(A  — *  (N  — *  A  — ►  A)  — ►  N  —  A). 

It  is  also  easy  to  show  that 

n  =.  AA  :  Prop  Xx.A  — >  A  A y:A  .  x(x(...(xy)...)), 
where  there  are  n  occurrences  of  x  after  the  last  abstraction, 

ttO  =.  0, 
jr(crn)  n, 

and  also,  for  any  type  A  :  Prop  and  any  terms  M  and  N  of  types  A  and  N  — *  A  —  A 
respectively, 

RAM  NO  =.  A/, 


and 


RAMN(rrr\)  =.  Nn(RAM An). 


We  know  that  this  definition  works  in  the  sense  that  we  can  define  all  primitive 
recursive  functions  and  that  the  peano  axioms  hold.  However,  our  knowledge  of  the 
peano  axioms  is  entirely  metatheoretic;  we  do  not  get  the  formulas  representing  these 
axioms  as  theorems  of  TAC.  To  get  the  peano  axioms  holding  formally  within  TAC,  we 
need  to  add  some  new  axioms.  The  first  two  axioms  we  need  are  obvious: 

Peanol  =  (Vn  :  N)(->trn  =N  0) 

and 

Peano2  =  (Vm  :  N)(Vn  :  N)(<rm  =n  crn  — *  m  =N  n). 

We  also  need  the  induction  axiom: 

Peano  =  (VA  :  N  — ►  Prop)((Vm  :  N)(Am  — *  A(trm))  — *  AO  — ►  (Vn  :  N)(An)). 

Since  the  defining  equations  for  +  and  x  follow  from  the  reduction  properties  of  R  and 
rule  (Eq"),  it  may  appear  that  we  have  everything  we  need  for  arithmetic. 

However,  we  are  not  finished.  For  although  the  only  closed  terms  of  type  N  are 
known  to  be  natural  numbers9,  so  that  the  axiom  Peano  does  not  really  restrict  the 
domain  of  objects  in  N,  we  do  need  to  be  able  to  talk  about  objects  in  other  types  which 
are  not  natural  numbers.  We  may  even  want  to  create  a  supertype  of  N,  and  in  such  a 
supertype,  where  we  will  have  things  which  are  not  natural  numbers,  we  will  want  to  be 
able  to  assert  that  an  object  is  not  a  natural  number.  To  do  this,  we  need  to  be  able  to 
say  that  something  is  a  natural  number.  And  so  far,  we  have  no  way  of  doing  this  that 
is  part  of  the  logic;  we  have  only 

M  :  N, 

which  is  definitely  not  the  same  thing.  Thus,  we  need  a  predicate  of  the  logic,  Af,  which 
says  that  something  is  a  natural  number.  The  definition  we  want  is  as  follows: 

H  ~  An  :  N  .  (VA  :  N  — *  Prop)((Vm  :  N)(Am  — ►  A(<rm))  — ►  AO  — ♦  An). 

It  is  easy  to  prove 

Ptac  Af  :  N  — ►  Prop, 

Ptac  A 1  :  A/"0, 

Ptac  IV  :  (Vn  :  N)(Arn  — *  A f(<rn)), 
for  closed  terms  Af  and  N . 

Now  that  we  have  the  definition  of  A f,  we  no  longer  need  the  axiom  Peano,  for  it  is 
easy  to  prove10  that  there  is  a  closed  term  M  such  that 

Ptac  Af  :  (VA  :  N  — +  Prop)((Vm  :  N)(Am  — *  A(<rm))  — *  AO  — ►  (Vn  :  AI)(A/n  — *  An)). 

*Except  for  A  A  :  PropAx  :  A  — »  A  .  x;  this  term  is  rj-tonvertiblc  to  1,  but  not  /3-convertible.  But  this 
term  is  not  rea//y  something  other  tluui  a  natural  number. 

*°This  is  not  mentioned  in  (Hue86)  or  (Hue87). 


While  this  is  not  exactly  Peano,  it  is  close  enough  for  practical  purposes11. 

This  leaves  us  with  the  axioms  Peanol  and  Peano2.  These  two  axioms  appear  to 
constitute  a  minor  variation  of  the  well-formed  environment  T  of  Theorem  5.2.  In  fact, 
a  similar  proof  gives  us  the  following  result: 

Theorem  5.3  (Q-consistency  of  arithmetic)  IfV  is 


and  if 


c i  :  Peanol,  c2  :  Peano2, 


r  I-tac  H:M  =A  N, 


where.  R  is  a  closed  term,  A  is  a  type  in  Prop,  and  M  and  N  are  terms  of  type  A,  then 

M  =.  N. 

Corollary  5.3.1  //I'  is  as  in  the  theorem,  then  it  is  consistent;  i.e., 

r  Vtac  -L. 

The  theory  of  arithmetic,  we  have  just  seen  is  an  excellent  prototype  for  inductively 
generated  free  algebras,  which  can  all  be  defined  by  similar  methods12.  It  is  not  strictly 
necessary  to  have  definitions  for  the  types  and  constants  involved:  the  above  theory 
would  work  just  as  well  if  N,  0,  <r,  and  R  are  new  atomic  constants13.  If  we  do  take 
them  as  atomic  constants,  then  Peano  can  be  interpreted  as  saying  that  type  N  is  assigned 
only  to  terms  in  the  set  Jf,  and  so  we  are  justified  in  concluding  the  consistency  of  the 
system  with  axiom  Peano  added. 

As  an  example  of  an  inductively  generated  free  algebra,  let  us  consider  lists.  To  have 
lists  of  terms  of  type  A,  we  need  a  type  List  which,  when  applied  to  A,  forms  the  type 
List/1  of  lists  of  objects  of  type  A.  We  also  need  the  empty  list,  nilA,  and  the  function 
cons. 4  of  type  A  — *  List/1  — *  List/1  which  puts  an  object  of  type  A  at  the  front  of  a  list 
of  objects  of  type  A  to  produce  a  new  list  of  objects  of  type  A.  Wc  will  want  to  be  able 
to  define  recursively  functions  on  lists  and  objects  of  type  A.  For  example,  the  function 
append  which  concatenates  two  lists,  is  defined  as  follows,  where  L\  and  L2  are  lists  of 
type  List/1  and  M  :  A: 


append/l(nil/l)/e2  =  Li, 

append.l(cons/l  A/  L\  )Li  =  cons/!Af(append/lL1  L2). 

"  What  Peano  actually  docs  is  to  say  tliat  the  induction  principle  holds  formally  for  the  type  N.  We 
know  mctatheorctically  that  it  holds  for  N,  hut  without  the  axiom  Peano,  we  do  not  have  the  result  as 
a  formal  theorem  of  TAC.  Since  we  do  have  that  formal  knowledge  about  Af,  it  is  difficult  to  imagine 
circumstances  in  which  this  formal  knowledge  about  N  would  be  necessary. 

12lhis  amounts  to  applying  to  the  theory  of  constructions  the  method  of  [BBJ. 

1  ^ I"  course,  the  reduction  rules  for  R  have  to  be  postulated  in  this  case.  We  can  have  confidence  that 
there  is  no  problem  with  the  strong  normalization  theorem  if  these  new  constants  are  assumed  precisely 
because  we  ran  define  all  of  them  as  closed  terms  from  which  the  reduction  rules  for  R  can  be  deduced . 


To  take  another  example,  the  function  reverse  which  reverses  tin*  <mler  of  a  list  is  defined 
by 

reverse///  =  flipZ//(nilZ), 

where  flip  is  defined  by 

flip/(nil/)/,2  =  //•_>, 

fIip/(consZAf  L\)Li  =  flip  A/.,  (cons/ M  L->), 

To  make  definitions  like  this,  we  need  a  term  which  plays  with  respect  to  lists  the  role 
that  R  plays  with  respect  to  N. 

It  turns  out  to  be  possible  to  define  List,  nil,  and  cons  so  that  these  recursive  defini¬ 
tions  become  possible: 

List  =  A/. Prop  .  (Vu  :  Prop)((/  — ►  u  — <  u)  — *  u  —  u), 

nil  =  AZ  :  Prop  .  A B  :  Prop  .  \f  :  A  —  B  —  B  .Ay  '  B  .y. 
cons  =  A/4  :  Prop  .  Ax  :  A  .  XL  :  List/4  .AB:  Prop  .  A  /  :  A  -»  B  —  li  At/  B  fxUBf ;/). 

The  intention  is  that  i<"  L  =.  (*,,  i2,  •  •  •cn)  >s  a  list  in  List/4,  /  :  A  —  B  -*  B,  and 

y  :  B,  then 

LBfy  >  /zi(/*2(  •(/•>'»?/))  ■  •)• 

To  show  that  this  definition  works,  note  that  if  h  :  A  -+  Li  —>  B  and  M  :  B ,  and  if  <j  is 
defined  by 

g  ~  \l  :  List/4  .  IBhM, 

then  g  has  the  properties 

y(nil/)  >  A/, 

</(cons/x/,)  t>  /ix(y/,), 

for  all  x  :  A  and  L  :  List/4.  This  function  g  allows  us  to  define  append,  reverse,  and  surli 
other  list  functions  as  length,  mapear,  null,  car,  and  cdr. 

J ust  as  we  defined  AT  corresponding  to  N,  so  we  can  define  £  corresponding  to  List. 
The  definition  is  as  follows: 

£  =  AZ  :  Prop  .  Az  :  List  A  .  (Vy  .  List/  —  Prop) 

((Vu  :  /)  (V/  :  List/)(£//  —  £/(cons/»/))  -•  £/(nil/)  —  £z). 


It  is  then  easy  to  prove 


Ptac  £  :  (V/  :  Prop)(l  ist/  —  Prop), 


I — fao  M  :  (V/  :  Prop)(£/(nil/)), 
hXAC  N  ■  (VZ  ;  Prop)(Vn  :  Z)(V/  :  List/)(£//  -•  £/(cons.lu/)). 
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I~Tac  P  '■  (VA  :  Prop)(VM  :  List/1  — ►  Prop) 

((Vu  :  A)(V/  :  ListA)(fl/  —  D(consAul))  —  /?(nilA)  —  (V/  :  ListA)(£/  —  Bl)), 

for  some  closed  terms  M,  N ,  and  P.  This  gives  us  the  desired  induction  property  on 
lists.  All  we  still  need  are  axioms  corresponding  to  Peanol  and  Peano2: 

(VA  :  Prop)(Vx  :  A)(Vy  :  A)  (V/  :  List/l)(Vm  :  ListA) 

(cons/1  id  consAj/m  -*  x  -A  y  Al  =l»m  m), 

and 

(VA  :  Prop)(Vx  :  A)(Vi  :  ListA)(->consAa;/  =Li,tA  nil  A) . 

A  modification  of  the  proof  of  Theorem  5.3  shows  that  these  two  axioms  are  consistent. 


5.4  Representing  sets  and  functions 

We  spoke  in  the  last  section  of  the  predicate  Af  of  natural  numbers.  But  most  math¬ 
ematicians  prefer  to  think  of  the  set  of  natural  numbers.  This  point  of  view  is  easily 
accommodated  in  the  theory  of  constructions,  since  it  is  easy  to  think  of  a  predicate  as 
a  setM. 

Thus,  suppose  we  have  some  type  U  :  Prop  or  U  :  Type.  Then  we  may  think  of  U  as 
the  current  universe.  Sets  over  U  are  defined  to  be  predicates  of  type  U  —*  Prop.  More 
formally,  we  may  define 

Seta  —  U  — *  Prop. 

In  terms  of  this  definition,  .V  :  Set^  and,  if  A  :  Prop,  CA  :  Set|.‘WM-  If  A  :  Sety,  then  we 

define  x  €  A  to  be  Ax.  The  set  {x  :  U\E)  is  defined  to  be  Ax  :  U  .  E.  Inclusion  of  set 

A  in  set  B  can  be  defined  by 

AC  II  =  (Vx  :  U)(x  E  A— >  x  £  B) 

and  the  corresponding  equality  by 

A  -  B  =  ACB  ABC  A. 

A  special  intensional  equality  on  IJ  can  be  defined  as  follows: 

x  =  y  =  (V/t  :  Set;; )(x  Q  A  — ►  y  g  /l). 

Many  of  the  usual  sets  and  set  operations  can  be  easily  defined.  For  example: 

•  =  {x:f/|±}, 

An  II  ~  {x  :  U\x  E  A  Ax€  B }, 

A  U  B  =  {x  :  U\x  €  A  V  x  €  B}, 

and 

~  A  =  {x  :  e  A}. 

When  no  confusion  r<»ults,  we  can  leave  out  //  and  write  {x|/7},Set.  etc. 

It  is  important  to  remember  the  constructive  nature  of  the  logic.  This  means  that 
the  set  operations  given  above  are  not  exactly  like  those  in  ordinary  mathematics.  For 
example,  we  have 

A  C~~  A. 

but  not,  in  general,  the  converse. 

One  operation  on  sets  that  we  do  not  have  here  is  the  power  set  operation.  For  the 
power  set  of  A,  i.e.  the  set.  of  all  subsets  of  A ,  is  defined  by 

VA  =  A II  :  Set  .  B  C  A , 

'^This  material  is  based  on  the  work  of  lluel  [llueSC],  ('liapler  12  and  [Hno87]. 


and  the  type  of  VA  is  not  Set,  which  is  A  — *  Prop,  but  instead  Set  — ►  Prop.  Terms  of 
type  Set  — ♦  Prop  will  be  called  classes,  and  we  will  give  the  formal  definition 

Classy  =  Set y  — *  Prop. 

Since  U  can  be  replaced  by  Sety,  all  set  operations  are  also  class  operations.  We  can 
define  other  class  operations,  for  example 

P|C  =  {z|(V4  :  Set)(C4  —  z  G  A)}, 

and 

C  =  {z|(34  :  Set)(C4  A  r£A)). 

We  can  also  define  the  singleton  in  terms  of  classes: 

{z}  =  P](A4  :  Set .  z  G  .4). 

With  these  definitions, 

Af  :  Setfj. 

We  know  metatheoretically  that  the  closed  terms  which  are  elements  of  the  set  Af  are 
exactly  the  closed  terms  of  type  N.  Thus,  the  set  Af  represents  the  type  N  in  a  special 
way.  There  is  no  known  uniform  method  of  defining  sets  to  represent  types  for  arbitrary 
types  that  does  not  require  extra  axioms15. 

Most  mathematicians  think  of  functions  as  sets  of  ordered  pairs,  but  this  conception 
is  not  really  appropriate  here.  For  we  already  have  functions  built  into  the  theory 
of  constructions  as  primitive.  A  function  is  simply  a  term  assigned  to  a  type  of  the 
form  (Vz  :  A)B.  Functions  can,  of  course,  be  elements  of  sets,  especially  if  the  sets 
correspond  to  types  the  way  Af  corresponds  to  N.  Since  a  set  corresponding  to  a  type  A 
is  a  term  of  type  A  — *  Prop,  a  set  of  functions  from  type  A  to  type  B  is  a  term  of  type 
( A—*B)—>  Prop.  To  say  that  a  function  /  is  a  function  from  set  A  to  set  B,  we  use  the 
type 

(Vz  :  U){x  eA->fx£  B).16 
It  follows  that  the  set  of  functions  from  set  A  to  set  B  is 

A/  :  U  —  U  .  (Vz  :  U)(x  €  A  —  fx  G  B). 

If  /  :  U  —*U ,  then  for  A  :  Set  we  can  define 

Preserve/4  =  (Vz  :  U)(x  G  4  — *  /z  G  4). 

In  terms  of  this  operator,  the  induction  axiom  Peano  can  be  written  as 

Peano  =.  (V4  :  N  — ♦  Prop)((Preserve  it  4)  — >  0  G  4  — »  (Vn  :  N)(n  G  4)), 

"It  is,  of  course,  possible  to  add  an  axiom  of  the  form  AM  for  each  closed  term  M  :  A,  where  A  is  a 
type  and  A  is  the  set  intended  to  represent  it,  but  many  of  these  axioms  are  likely  to  upset  the  proof 
of  strong  normalization. 

16 Naturally  wo  must  have  /  :(/—♦(/. 
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and  the  definition  of  M  as 


u 


A/"  =.  An  :  N  .  (VA  :  N  — *  Prop)( Preserve  <rA  — *  0  6  A  — *  n  £  A). 

This  may  help  to  show  how  to  standardize  the  definition  of  inductively  defined  free 
algebras. 

This  much  set  theory  is  sufficient  for  most  practical  mathematical  purposes,  but  from 
the  point  of  view  of  a  set  theorist  it  is  incomplete.  Its  major  weakness  is  that  if  A  is  ;• 
set,  VA  is  not  a  set  but  a  class;  in  the  standard  set  theories  it  is  also  a  set.  To  make 
this  a  set,  we  would  need  to  have  Set  include  not  only  the  terms  in  U  — *  Prop  but  also  in 
(IJ  — >  Prop)  — ►  Prop,  ((U  — ►  Prop)  — +  Prop)  — ►  Prop,  etc.  This  can  be  represented  in  the 
theory  of  constructions  as  follows:17  first  define 

Set]  =  U  — *  Prop, 

Set„+i  =  Set„  — ■  Prop. 

Then  we  want  to  introduce  a  new  type  Set  which  will  be  assigned  to  terms  in  any  of  the 
types  Set„.  This  requires  that  each  type  Setn  be  a  subtype  of  Set. 

There  is  a  general  method  of  making  type  A  a  subtype  of  type  B:  it  is  to  lake  as  an 
assumption 

A  x  \  A  .  x  :  A  — ►  li. 

From  this  assumption  and  M  :  A,  we  get  (Az  :  A  .  x)M  :  li,  and  clearly  (\x  :  A  .  x)M 
represents  the  same  object  as  M\  in  fact,  it  reduces  to  M .  Assumptions  of  this  form 
have  not  been  considered  so  far  in  the  theory  of  constructions,  and  cannot  occur  in  well- 
formed  environments.  However,  they  have  been  considered  in  connection  with  ordinary 
type  assignment;  see  [CIIS72],  pp.  '153  and  304,  where  they  are  called  proper  inclusions. 
Furthermore,  conditions  under  which  these  assumptions  are  compatible  with  the  normal 
form  theorem  are  given  in  [Sel77]  Remark  2  p.  23.  It  is  possible  to  extend  condition  (i) 
of  that  Remark  to  TAG: 

Theorem  5.4  (Consistency  of  proper  inclusions)  Let  I’  be  a  well-formed  environ¬ 
ment,  and  let  T'  be  a  sequence  of  assumptions  each  of  which  has  the  form 

A  x  \  A  .  x  :  A  —  *  /?, 

where  li  is  an  atomic  constant,  the  assumption  li  :  k  occurs  in  F,  and  li  —  C  is  not  a 
type  in  F'  for  any  type  C.  Then  any  deduction  of 

r.r'  Ft  AC  A/  :  A 

is  strongly  normalizable  and  both  M  and  A  have  normal  forms. 

Proof  We  begin  by  proving  that  the  required  deductions  are  SN.  Begin  by  replacing  in 
each  assumption  in  F'  the  term  A r  :  A  .  x  by  a  variable  which  does  not  occur  free  in  eilher 

,7Tliis  is  not  done  in  [llticSC]  or  (HiwST). 
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r  or  T',  using  a  distinct  variable  for  each  such  assumption.  The  resulting  deductions 
are  all  SN  by  Theorem  4.14.  Hence,  the  deductions  in  which  we  are  interested,  which 
are  all  obtained  by  substituting  terms  for  variables,  are  also  all  SN. 

Now  let  us  consider  the  terms  in  these  deductions.  These  terms  may  contain  redexes 
of  the  form 

(Ax  :  A  .  x)M. 

A  contraction  will  replace  this  redex  by  M .  What  we  need  to  know  is  that  this  will 
not  produce  a  new  redex.  This  could  only  happen  if  the  original  redex  occurred  in  a 
subterm  of  the  form 

(Ax  :  A  .  x)MNlN-,...Nn, 


and  since  the  type  of 


(Ax  :  A  .  x)M 


is  B,  which  is  by  hypothesis  a  new  constant  and  hence  not  convertible  to  the  form 
(Vt/  :  C)D ,  this  is  impossible.  ■ 

Now,  in  order  to  interpret  a  set  theory  in  which  the  power  set  of  a  set  is  a  set,  we 
need  only  define  Set„  as  indicated  above  for  each  n  >  1,  define  Set  to  be  a  new  atomic 
constant,  assume  Set  :  Prop  or  Set  :  Type,  and  then  assume 

Set,,  :  Set 

for  each  n  >  1 18.  It  follows  from  what  we  have  just  proved  that  this  is  consistent;  for 
Set  is  essentially  the  union  of  all  the  Set„,  and  in  any  given  deduction,  it  will  be  possible 
to  replace  Set  by  the  union  of  a  finite  number  of  the  Set„  and  thus  avoid  using  any  new 
assumptions. 
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*  I  liis  involves  an  infinite  number  of  assumptions,  but  they  ran  all  be  fh*srril>etl  in  a  finite  manner, 
an«l  *»o  it  is  not  unreasonable  to  suppose  that  this  r.ui  be  implemented. 
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Appendix  A 

LIST  OF  POSTULATES 
AND  SYSTEMS 


Here  are  listed  the  various  postulates  which  have  appeared  in  this  document,  and  the 
systems  in  which  they  occur.  A  list  of  the  systems  and  the  number  of  their  definitions 
is  given  in  appendix 

2.  The  rules  are  listed  in  the  order  in  which  their  main  operators  first  appear. 

(  — *  Formation):  TAJ,  TAT 
(—  e):  TA,  TAP,  TAJ,  TAT 
(  —  i):  TA,  TAP;  (alternate  form)  TAJ,  TAT 
(V  Formation):  TAGU 

(Ve):  TAP;  (another  sense)  NJ*;  (another  sense)  TAGU,  TAG 
(Vi):  TAP;  (another  sense)  NJ* 

(VJFormation):  TAJ 

(VJe):  TAJ 

(VJi):  TAJ 

(VP):  TACS 

(VPi):  TAC 

(VT):  TACS 

(VTi):  TAC 

(VUi):  TAGU 

(VaFormation):  TAT 

(V«e).  TAT,  TAG 

(Vcri):  TAT,  TAG 

(=„):  TA;  (another  sense)  TACS 

«):  TAP,  TAJ,  TAT,  TAG,  TAGU,  TAC 


ir,:t 


r+j\ 


(='"  a):  TAJ,  TAT 
(Ce):  NA  (c)  NJ,  NJ* 

(C  i):  NA  (C),  NJ,  NJ* 

(Ae):  NJ,  NJ* 

(Ai):  NJ,  NJ* 

(Ve):  NJ,  NJ* 

(Vi):  NJ,  NJ* 

(— <e) :  Derived  in  NJ,  NJ’ 

(->i):  Derived  in  NJ,  NJ* 

(-L  j):  NJ,  NJ* 

(-L  j#):  added  to  extended  TA 
TAJ 

(3e):  NJ* 

(3i):  NJ* 

(3JFormation):  TAJ 
(3Je):  TAJ 
(3Ji):  TAJ 
(e,):  TAJ 
(w,-):  TAJ 
(V>i):  TAJ 
(void):  TAJ 
( x Formation):  TAJ 
(xe)j:  TAJ 
( xe)i:  TAJ 
(xi):  TAJ 
(  +  Formation):  TAJ 
(+c):  TAJ 
(  +  i)i :  TAJ 
(  +  i)2:  TAJ 

(Eq"):  TAG,  TAG U,  TAG,  FACS 
(Fq'U):  TAGU 
(Eq'P):  TAG,  '1AG.S 
(Eq'T):  TAG,  TAGS 
(P):  TAGS 

(PPFormalioii):  'FAG 

(PT):  TAG;  (anotlier  sense)  'I'AGS 


(PT  Formation):  TAC 
(T):  TACS 

(TP  Formation):  TAC 
(TT  Formation):  TAC 
(App):  TACS 
(var):  TACS 
(Ai):  TACS 
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SYSTEMS  AND  THEIR 
DEFINITIONS 


Here  is  a  list  of  systems  and  their  definitions. 

NA(D):  Definition  3.2. 

NJ:  Definition  3.4. 

NJ*:  Definition  3.6. 

TA:  Definition  2.1. 

Extended  TA:  Remark  after  Corollary  2.2.3  (end  of  Section  2.1). 
TAC:  Definition  4.2. 

TACS:  Definition  4.21. 

TAG:  Definition  2.22. 

TAGU:  Definition  2.24. 

TAJ:  Definition  3.10. 

TAP:  Definition  2.12. 


TAT:  Definition  3.12 


Bibliography 


[BB]  Corrado  Bohm  and  A.  Berarducci.  Automatic  synthesis  of  typed  lambda- 
programs  on  term  algebras.  Unpublished. 

[Bee85]  M.  Beeson.  Foundations  of  Constructive  Mathematics.  Springer,  Berlin, 
1985. 

[C*86]  R.  Constable  et  al.  Implementing  Mathematics  with  the  Nuprl  Proof  Devel¬ 
opment  System.  Prentice  Hall,  Englewood  Cliffs,  New  Jersey,  1986. 

[Car86]  Luca  Cardelli.  A  Polymorphic  X-calculus  with  Type  :  Type.  Technical  Re¬ 
port,  Systems  Research  Center  of  Digital  Equipment  Corporation,  Palo  Alto, 
California,  May  1986. 

[CF58]  Haskell  Brooks  Curry  and  Robert  Keys.  Combinatory  Logic.  Volume  1, 
North-Holland  Publishing  Company,  Amsterdam,  1958.  Reprinted  1968  and 
1974. 

[CH]  Thierry  Coquand  and  Gerard  Huet.  Concepts  mathematiques  et  informa- 
tiques  formalises  dans  le  calc  ill  des  constructions.  Colloque  de  Logique,  Orsay 
(July  1985),  North-Ilolland,  forthcoming. 

[CI184]  Thierry  Coquand  and  Gerard  Huet.  A  theory  of  constructions.  June  1984. 

Presented  at  the  International  Symposium  on  Semantics  of  Data  Types, 
Sophia-Antipolis. 

[CII86]  Thierry  Coquand  and  Gerard  Huet.  Constructions:  a  higher  order  proof 
system  for  mechanizing  mathematics.  In  Springer  Lecture  Notes  tn  Computer 
Science  203,  pages  151  184,  Springor-Verlag,  Berlin,  1986. 

[CHS72]  Haskell  Brooks  Curry,  J.  Roger  Bindley,  and  Jonathan  I'.  Seldin.  Combtna- 
lory  Logic.  Volume  2,  North-Ilolland  Publishing  Company,  Amsterdam  and 
London,  1972. 

[Chu40]  Alonzo  Church.  A  formalization  of  the  simple  theory  of  types.  Journal  of 
Symbolic  Logic,  5:56  68,  1940. 


[Coq]  Thierry  Coquand.  Metamathematical  investigations  of  a  calculus  of  construc¬ 
tions.  Received  February  9,  1987. 

[Coq85]  Thierry  Coquand.  Une  The'orie  des  Constructions.  PhD  thesis,  University 
of  Paris  VII,  1985. 

[Coq86a]  Thierry  Coquand  An  analysis  of  Girard’s  paradox.  In  Sympostum  on  Logic 
in  Computer  Science,  pages  227-236,  IEEE  Computer  Society,  IEEE  Com¬ 
puter  Society  Press,  1986. 

[Coq86b]  Thierry  Coquand.  A  calculus  of  constructions.  November  1986.  Privately 
circ  u  la  ted. 

[CP36]  Alonzo  Church  and  J.  B.  Rosser.  Some  properties  of  conversion.  Transactions 
of  the  American  Mathematical  Society,  39:472-482  1936. 

[Cur63]  Haskell  Brooks  Curry.  Foundations  of  Mathematical  Logic.  McGraw-Hill 
Book  Company,  Inc.,  New  York,  San  Francisco,  Toronto,  and  London,  1963. 
Reprinted  by  Dover,  1977  and  1984. 

[Daa80]  Diedcrik  Ton  van  Daalen.  The  Language  Theory  of  AUTOMATH.  PhD 
thesis,  Technische  Hogeschool  Eindhoven,  February  1980. 

[Fit52]  Fredric  Brenton  Fitch.  Symbolic  Logic.  The  Ronald  Press  Company,  New 
York,  1952. 

[FLOS3]  S.  Fortune,  Daniel  Leivant,  and  Michael  J.  O’Donnell.  The  expressiveness 
of  simple  and  second  order  type  structures.  Journal  of  the  Association  for 
Computing  Machinery,  30:151-185,  1983. 

[Gen34]  Gerhard  Gentzen.  Untersuchungen  iiber  das  logische  Schliessen.  Malhema- 
ttsche  Zeitschnft,  39:176-210,  405-431,  1934.  Translated  in  Sabo  (ed.),  The 
Collected  Papers  of  Gerhard  Gentzen  as  “Investigations  into  Logical  Deduc¬ 
tion”  . 

[GirTl]  Jean-Yves  Girard.  Une  extension  de  I’interprctation  dc  Godel  a  l’analyse,  et 
son  application  a  (’elimination  des  coupures  dans  l’analyse  et  la  theorie  des 
types.  In  J.  E.  Fenstad,  editor,  Proceedings  of  the  Second  Scandinavian  Logic 
Symposium,  pages  63-92,  North-Holland,  Amsterdam,  1971. 

[GMW79]  M.  J.  Gordon,  J.  Milner,  and  C.  P.  Wadsworth.  Edinburgh  LCF:  A  Mecha¬ 
nized  Logic  of  Computation.  Springer  Verlag,  1979.  Lecture  Notes  in  Com¬ 
puter  Science  78. 

[How80]  W.  A.  Howard.  The  for mulac-as- types  notion  of  construction.  In  J.  Roger 
Hind  ley  and  Jonathan  I*.  Seldin,  editors,  To  H.  B.  Curry:  Essays  on  Com¬ 
binatory  Logic,  Lambda  ('alculus  and  Formalism,  pages  479-490,  Academic 
Press,  New  York,  1980.  A  version  of  this  paper  was  privately  circulated  in 
I960 


[I1S86]  J.  Roger  Ilindley  and  Jonathan  1*.  Soldin.  Introduction  to  Combinators  and 
\-calculus.  Cambridge  University  Press,  1986. 

[Hue86]  Gerard  Huet.  Formal  structures  for  computation  and  deduction.  May  1986. 
Course  Notes,  Camegie-Mellon  University,  First  Edition. 

[Hue87]  Gerard  Huet.  Induction  principles  formalized  in  the  calculus  of  constructions. 

In  Springer  Lecture  Notes  in  Computer  Science  2J9,  pages  276-286,  Springer- 
Verlag,  1987. 

[Jas34]  Stanislaw  Jaskowski.  On  the  rules  of  supposition  in  formal  logic.  Studia 
Logtca,  1:5-32,  1934. 

[Mar71a]  Per  Martin-Lof.  Hauptsalz  for  the  theory  of  species.  In  J.  E.  Fenstad,  editor, 
Proceedings  of  the  Second  Scandinavian  Logic  Symposium,  pages  217-233, 
North-IIolIand  Publishing  Company,  Amsterdam  and  London,  1971. 

[Mar71b]  Per  Martin-Lof.  A  theory  of  types.  February  1971.  Revised  October  1971. 
Privately  circulated. 

[Mar73]  Per  Martin-Lof.  Hauptsatz  for  intuilionistic  simple  type  theory.  In  Patrick 
Suppes,  Leon  Henkin,  Athanase  Joja,  and  Gr.C.  Moisil,  editors,  Logic, 
Methodology,  and  Philosophy  of  Science  IV,  pages  279-290,  International 
Congress  for  Logic,  Methodology,  and  Philosophy  of  Science,  Bucharest,  1971, 
North-Holiand  Publishing  Company,  Amsterdam  and  London,  1973. 

[Mar75]  Per  Martin-Lof.  An  intuitionistic  theory  of  types:  predicative  part.  In  H.  E. 

Rose  and  J.  C.  Shepherdson,  editors,  Logic  Colloquium  ’13,  pages  73-118, 
N'-,r*h  Holland  Publishing  Company,  Amsterdam,  1975. 

[Mar82]  Per  Martin-Lof.  Constructive  mathematics  and  computer  science.  In  L.  J. 

Cohen,  J.  Los,  II.  Pfeiffer,  and  K.-P.  Podewski,  editors,  Logic,  Methodol¬ 
ogy  and  Philosophy  of  Science  VI,  pages  153-175,  North-llolland  Publishing 
Company,  Amsterdam,  1982 

[Mar84]  Per  Martin-Lof.  Intuitionistic  type  theory.  Bibliopolis,  Naples,  1 984.  Notes 
by  Giovanni  Sainbin  of  a  series  of  lectures  given  in  Padua,  June  1980. 

[Mil78]  R.  Milner.  A  theory  of  tyj  >e  polymorphism  in  programming.  Journal  of 
Computer  and  System  Science,  17:348-375,  1978. 

[Mil85]  R.  Milner.  The  standard  ML  core  language.  Polymorphism,  2,  1985. 

[Mit86]  John  C.  Mitchell.  A  type-inference  approach  to  reduction  properties  and 
semantics  of  polymorphic  expressions  (summary).  In  Proceedings  of  the 
1986  ACM  Conference  on  LISP  and  Functional  Programming,  pages  308- 
319,  1986 


[Pot87]  Garrel  Pottinger.  Two  formulations  of  the  theory  of  constructions.  January 
1987.  Technical  report  in  preparation,  Odyssey  Research  Associates. 

[Pra65]  Dag  Prawitz.  Natural  Deduction.  Almqvist  &  Wiksell,  Stockholm,  Goteborg, 
and  Uppsala,  1965. 

[Rey74]  J.  C.  Reynolds.  Towards  a  theory  of  type  structure.  In  Springer  Lecture 
Notes  in  Computer  Science  19,  pages  408  -425,  Springer- Verlag,  1974. 

[Rey84]  J.  C.  Reynolds.  Polymorphism  is  not  set-theoretic.  In  Springer  Lecture  Notes 
in  Computer  Science  ITS,  pages  145-156,  Springer- Verlag,  1984. 

[Ros84]  J.  B.  Rosser.  Highlights  of  the  history  of  the  lambda-calculus.  Annals  of  the 
History  of  Computing,  6:337-339,  1984. 

[Sel77]  Jonathan  P.  Seldin.  A  sequent  calculus  for  type  assignment.  Journal  of 
Symbolic  Logic,  42:11-28,  1977. 

[Ste72]  Soren  Stenlund.  Combinators,  Lambda-Terms  and  Proof  Theory.  D.  Reidel, 
Dordrecht,  Holland,  1972. 


MISSION 

of 

Rome  Air  Development  Center 

RA VC  plans  and  execute*  research,  de.ve.Zopme.nt,  test 
and  selected  acquisition  programs  in  Support  oh 
Command,  Control,  Communication s  and  Intelligence 
( C 3 1 )  actlvitle.* .  Technical  and  engineering 
Support  within  areas  oh  competence  is  provided  to 
ESV  Program  Ohhi ce.4  ( POs )  and  other  ESP  element s 
to  perhorm  ehhc ctive  acquisition  oh  C^I  systems. 

The  areas  oh  technical  competence  include 
communications ,  command  and  control,  battle 
management,  inhormation  processing,  surveillance 
. sensors ,  intelligence  data  collection  and  handling, 
solid  state  sciences ,  electromagnetics ,  and 
propagation,  and  electronic,  maintainability , 
and  compatibility. 


$ 


